What are digital certificates ?

Digital certificates are the digital equivalent (i.e. electronic format) of physical or paper certificates. Examples of physical certificates are drivers licenses, passports or membership cards. Certificates serve as identity of an individual for a certain purpose, e.g. a drivers license identifies someone who can legally drive in a particular country. Likewise, a digital certificate can be presented electronically to prove your identity or your right to access information or services on the Internet.

What exactly is a digital signature?

Just as a handwritten signature is affixed to a printed letter for verification that the letter originated from its purported sender, digital signature performs the same task for an electronic message. A digital signature is an encrypted version of a message digest, attached together with a message. A secure digital signature system consists of two parts:

A method of signing a document such that forgery is detected, and A method of verifying that a signature was actually generated by whomever it represents Asymmetric/ Public key vs. Symmetric/ Secret key: which cryptography system is better?

A combination of both. The action of encrypting information with public-key cryptography is significantly slower than encrypting with a secret key. However the drawback of the secret-key system is that, secret keys must be transmitted either manually or through a communication channel, and there may be a chance that others can discover the secret keys during transmission. This is not a problem with public-key cryptography, as private keys never need to be transmitted or revealed to anyone. Each user has sole responsibility for protecting his or her private key.

So, in practice public-key cryptography is used with secret-key cryptography to get the best of both worlds. A system that uses public-key cryptography first generates a secret key and uses the secret key to encrypt the message. Public-key cryptography key is then used to encrypt the secret key, which then is attached to the secret key-encrypted message.


What are the functions of a digital certificate?

Typically certificates are used to generate confidence in the legitimacy of a public key. In addition to verifying a signature, verifying the signers certificate increase the confidence of the receiver in ensuring that attempted forgery or impersonation has not occurred.

Digital certificates can be used as to verify someones (or some companys) identity. It can be used in a variety of ways including to control access on web sites, to create virtual private networks, to secure e-mail, and to guarantee the authenticity of downloaded software.

What are the contents of a Digital certificate?

A Digital Certificate contains three elements:

Subject Name and Other Certificate Extensions

This is information about the object being certified. In the case of a person this might include ones name, nationality and email address, your organization, and the department within that organization where you work. It could also include a picture of you, a codification of your fingerprints, your passport number, and so on.

Public Key Information

This is the public key of the entity being certified. The certificate acts to bind the public key to the attribute information described above. The public key can be any asymmetric key, but is usually an RSA key.

Certifying Authority (CA) Signature

The CA signs the first two elements and thereby adds credibility to the certificate. People who receive the certificate check the signature and will believe the attribute information public key binding if they trust that certifying authority.

What different kinds of digital certificates are t

Digital Certificates can be categorized into Server certificates and Personal certificates. The differences lie in the information they contain and who they identify. For example, a server certificate's "Common Name" attribute is usually set to a host name or host name pattern, like www.mtnltrustline.com, while a personal certificate would have this attribute set to your full name.

What are personal certificates?

Personal certificates serve to identify a person. It follows that the contents of this type of certificate include the full name and personal particulars of an individual. Among other uses of personal certificates some are: Secure e-mail correspondence and enhanced access control to sensitive or valuable information.

What are server certificates?

Server certificates identify a server (computer). Hence, instead of a name of a person, server certificates contain the host name. Server certificates are used to ensure that on-line transactions are secure.

What is data confidentiality?

Data confidentiality refers to a situation in which a message is inaccessible to others except the intended recipient(s). Encryption and decryption ensure confidentiality.

What do you mean by the Public Key Infrastructure

The PKI is the overall system of identifying parties on the Internet using their certificates. It is headed by a Certifying Authority that is responsible for issuing and verifying the validity of the digital certificates. It has evolved with the objective to provide security services like authentication, confidentiality, integrity & non-repudiation (binding customers and business to their transactions) across network and to provide means of identifying with whom one is communicating or doing business

What are the elements of PKI?

The elements of PKI are:

Certification Authority

Certification Authority issues and revokes certificates. It provides assurance that the certified information is correct and that the key used in signing certificates and CRLs is not compromised. CAs are bound by regulations. As the issuing authority, the CA plays a vital role in operation of certificate management system and delivery of CRLs at scheduled intervals. It also provides for audit-capabilities without risk of exposure.

Certificate Repository

The Certificate Repository is used to store the certificates and CRL information. It is used for obtaining latest status information about certificates. The CRL is a list of revoked certificates. The issuing CA digitally signs each list (this allows for the requestor to verify data integrity). This is used by users to search for certificates and CRLs.


The end-user is typically someone who uses PKI enabled services over the internet from a PC. The service includes secure e-mail among others. Mails may be encrypted by using the receiver's public key. The receiver can then verify the sender's signature. The mail having been exchanged and the important objective of non-repudiation, authentication, integrity, and confidentiality have been realized in the transaction, a legally binding contract between the end-user and the service provider and vice versa is made possible.

Service Provider

Service Provider refers to any application service provider like email services or any PKI based services. The service provider hosts the end entity which comprises the application server complete with security measures in place like firewalls to prevent unwanted attempts to access the server. Confidentiality security services are initiated between the end user and end entity after they have authenticated themselves. All data transport between the two entities takes place in an encrypted format from then on, thus assuring both parties of the confidentiality of the data transmission.

What are the processes in a PKI?

Certificate Issuance
Certificates are issued by the CA to the end-users and end-entities according to policies defined by the CA. The certificate issued by the CA, legally binds the certified public key to the user which also implies binding of the private key. The information contained in the certificate should be correct which is signed by the CA since an independent third party may verify that the CA issued the certificate. The certificate is usually issued for a short period depending on the purpose.

Certificate Revocation
Whenever a private key associated with a certificate gets exposed or is threatened to have been exposed, the owner of the certificate intimates the CA regarding the development. The CA then revokes the certificate. The revoked certificates are placed on a list called Certificate Revocation List (CRL) which is signed by the CA. The CRL is published to an easily accessible point on a regular basis. With a certificate revocation, association between the owner and the certificate expires which implies that the relying party should not accept the certificate for authentication.
Authentication/ Verification
The parties involved in a transaction may be authenticated by a challenge/response mechanism. In this one party poses a challenge that requires a response by the other. The end-user who has been challenged proves evidence of ownership of the certificate by providing a response that is encrypted with his private key. The challenging party then decrypts the response by using the public key contained in the certificate assumed to be that of the other party. After this the challenged party is considered authenticated if the decrypted response is verified to match the challenge. This authentication is done from both sides i.e. both from the client as well as the server side. The important requirement in this entire process is that both sides must trust the public key corresponding to the private key used by the CA while issuing the certificates. The CA plays a very important role in that it becomes the trust provider in the transaction, ensuring that the user trusts the certificate if it trusts the CA issuing the certificate.
Non-repudiation / Verification
Non-repudiation services are used in mail signing, signing crucial agreements etc. or business transactions. If the private key of the signature is protected, then the digital signature is impossible to copy. The certificate provides the non-repudiation service. Any party can verify that a noted CA issued the certificate. The act of non-repudiation is made possible through the use of a digital signature. The digital signature is created by encrypting given data with the private key. The receiving party would verify by using the certified public key to match the expected values. This procedure would ensure non-repudiation at the time of action, since the receiving party should be able to check for certificate validity and revocation status.

What is Cryptography?

Cryptography is the science of enabling secure communications between a sender and one or more recipients. This is achieved by the sender scrambling a message (with a computer program and a secret key) and leaving the recipient to unscramble the message (with the same computer program and a key, which may or may not be the same as the sender's key). There are two types of cryptography: Secret/ Symmetric Key Cryptography and Public/ Asymmetric Key Cryptography. The emphasis of cryptography is on data confidentiality, data integrity, sender authentication, and non-repudiation of origin/data accountability.

What is a key?

Physical keys are used for locking and unlocking. In cryptography, the equivalent functions are encryption and decryption. A key in this case is an algorithmic pattern or rule(s) to render the message unreadable.

What is encryption?

Encryption is the transformation of information from readable form into some unreadable form.

What is decryption ?

Decryption is the reverse of encryption; it's the transformation of encrypted data back into some intelligible form.

How important is the use of digital certificates?

Digital certificates and the CA are just two elements of the Public Key Infrastructure (PKI), an overall Internet security system. Once the PKI is operational, everyone who has a digital certificate can be traced and held accountable for their actions. Consequently, uses for the Internet, which could not be fully realized before, will finally take off: electronic banking and commerce (funds transfer, buying and paying on-line), on-line transactions with government agencies (applying for and renewing ICs, licenses, paying fines and bills), and on-line transactions between businesses. The day when the only way to do some of these transactions is through the Internet may not be too far off. Everyone who wants to be part of it will need digital certificates.

Invitation for Bids for supply ,delivery and implementation of cloud based software.



Invitation for Bids for Procurement of Software/Hardware and Implementation of Disater Recovery Centre of PKI Data Centre

Invitation for Bids for Procurement of Software/Hardware and Implementation of Disater Recovery Centre of PKI Data Centre Invitation for Bids…


Message from Controller

Office of Controller of Certification is formed under the ministry of Science, Technology and Environment with a view to implement Electronic Transaction Act 2063 and implementing digital signature in Nepal, regulations and policy responses for the development of ICT sector in the country as well as harnessing these technologies to meet key developmental challenges including those relating to governance reform…

Mr. Deepak Kumar Shrestha
Read More

Acts and Regulation : DOWNLOAD