Certificate types

There are several different types of certificates that may be used to secure systems. We've already discussed the importance of securing root certificates. These are the core certificates at the heart of a certificate authority, and they're used as a very first certificate or root of trust in chain certificates. Another special type of certificate is the wildcard certificate. Wildcard certificates are able to match many different subjects, and because of this, they must be carefully secured. You can easily recognize wildcard certificates because they have special names, such as *.linkedin.com. The asterisk indicates that the certificate may be used for any subject name ending in linkedin.com. This certificate will be valid for www.linkedin.com, mail.linkedin.com, secure.linkedin.com, or any other subject name ending in linkedin.com. Although one important note on these wildcard certificates, the wildcard only goes one level deep. It replaces a single name and not multiple levels of names. For example, this wildcard certificate could not be used for www.secure.linkedin.com. Wildcard certificates are commonly used for load balancers and other devices that must match many different domain names. Using a wildcard certificate allows the device to impersonate all of the relevant subdomains without administrators having to obtain and install individual certificates for each subdomain. You already know that digital certificates are a statement of trust by a certificate authority. The CA is vouching for the identity of the certificate subject and assuring the public that it has verified the subject's identity. There are actually three different types of verification that may be used, and the CA issues different certificates depending upon the degree of identity verification that they performed. Domain Validation or DV certificates have the lowest level of trust. The CA simply checks the ownership record for a domain and communicates with the registered owner of that domain to make sure that they approve of the issuance of the digital certificate. Organizational Validation or OV certificates go a step further. The CA verifies not only that the certificate subject owns the domain, but also that the name of the organization purchasing the certificate matches business records, such as state business registrations or reputable business databases. Extended Validation or EV certificates are the highest level of trust. After receiving documentation from the certificate subject, the CA performs an extensive investigation to verify the physical existence and legitimacy of the organization. Security professionals should understand these different types of digital certificates, and be ready to explain the degree of trust that each implies, as well as select appropriate digital certificate types for use in their organizations.