A Field Guide to PKI Encryption: 9 Types of Certificates Explained

Digital certificates are the primary vehicle by which people and machines are identified and authenticated, making management more complicated as your organization grows.

Organizations use SSL/TLS certificates to secure the transmission of confidential information, but certificates can also be used to sign code and secure Internet of Things (IoT) devices. Managing and protecting certificates at scale can be a challenge, but insecure certificates are a major cybersecurity risk.

In order to maintain the safety and security of your organization’s website, software, and digital infrastructure, anyone involved with PKI should know the types of certificates, how they work, and what they protect.

Certificates vary depending on what they’re used to protect. From websites to IoT devices, it’s important to understand the different types of certificates as part of your management strategy.

SSL/TLS certificates

SSL/TLS certificates are used to establish secure connections between web servers and browsers. They encrypt data transmission on websites, preventing eavesdropping by hackers. These certificates are visually represented by padlocks in browser bars.

• Single Domain SSL: Secures a single domain name. Ideal for small websites or landing pages, difficult to scale.
• Wildcard SSL: Protects a domain and an unlimited number of its subdomains by employing the wildcard character (*) in the domain name field.
• Multi-domain SAN (Subject Alternative Name) SSL: Secures multiple unrelated domains within a single certificate. Suitable for companies managing various independent domains or offering services to other businesses.

Within SSL certificates, there are multiple validation levels. These validation levels are used to verify the identity of the certificate owner.

• Domain Validation: Verifies domain ownership, but not company identity. This validation is best used for basic website security or for personal blogs.
• Organization Validation: Confirms domain ownership and basic organizational information, making it suitable for businesses seeking to establish trust with their customers and prospects.
• Extended Validation: Most rigorous validation, verifies domain ownership, company existence, and legitimacy. This validation is important for businesses dealing with highly sensitive customer information, like financial institutions and healthcare providers.

Code signing certificates

Code signing certificates are used to verify the authenticity and integrity of software code, ensuring users download untampered code from trusted sources.

Users who download software directly from a company’s website often encounter a code signing certificate. When the download starts, your browser or operating system might check the certificate to be sure the software hasn’t been modified.

Email signing and encryption certificates

Email certificates allow users to digitally sign and encrypt emails, verifying the sender’s identity and confirming the email hasn’t been altered. Only the intended recipient can decrypt and read the email content.

For example, a lawyer might use an email signing certificate to send a signed copy of a legal document to a client, protecting it from tampering.

Client authentication certificates

Client authentication certificates verify the identity of users trying to access a network or server, adding an extra layer of security beyond usernames and passwords.

Businesses might require employees to use client authentication certificates when using a VPN client to remotely connect to the company’s internal network.

Document signing certificates

Document signing certificates are used to digitally sign electronic documents, verifying the document’s origin.

Digitally signing a contract using a document signing certificate means both parties involved can confirm the document’s authenticity and integrity.

Verified mark certificates

These specialized certificates display a trusted mark within the browser bar alongside the SSL certificate. Users can verify the website’s ownership and brand identity, promoting trust.

For example, a bank might use a VMC and display their official logo next to the secure connection padlock in the browser bar, so bank customers know they’re in the right place for protected transactions.

IoT certificates 

These lightweight certificates are used to secure communication between IoT devices. IoT devices can be easier for hackers to compromise if they aren’t up to date, so a constraining certificate protects bad actors from using an IoT device to disrupt your work.

A smart thermostat might use an IoT certificate to securely communicate with a cloud server for temperature adjustments.

DevOps and other ephemeral certificates

Ephemeral certificates are designed to expire quickly, streamlining management in DevOps environments with frequent deployments and infrastructure changes.

During a software deployment in a DevOps environment, an ephemeral certificate might be used to temporarily secure communication between a newly created server or test environment and other components of the software in development.

Certificate Authority (CA) certificates

Last but not least, CA certificates aren’t directly used for user or device authentication, but they are used to verify the identity of the Certificate Authority itself. CAs issue all of the types of certificates listed above, so their trustworthiness is crucial to security.

The root of trust in the Public Key Infrastructure (PKI) system is the authenticity of CAs and your browser or operating system’s ability to automatically trust them. After the CA has been verified, it can be used to verify the other certificates you encounter.

Managing the different types of certificates doesn’t end with issuance. Every certificate has an expiration date, which means the work of maintaining your digital certificate is ongoing.

For example, it’s generally considered best practice to revoke and reissue SSL/TLS certificates annually. Most major browsers will deny connections to servers with certificates more than 398 days old, whether they’re expired or not.

Effective certificate lifecycle management starts with a comprehensive audit of every certificate in use. It’s crucial to keep an exact inventory and monitor all certificates, keys, and the root of trust (RoT) to identify any potential threats and make quick adjustments accordingly.

You can maintain the health of this security by updating certificates, keys, and the RoT as needed and revoking any certificates and keys when the relevant devices are no longer in use.

Strong and secure certificate lifecycle management starts with good organization. Now that you’ve learned about the different types of certificates, here are a few more suggestions for the future:

1. Avoid management by spreadsheet. When you begin to manage 100 or more certificates, it’s time to call in backup. Use a certificate manager to discover and track the lifecycle of all your certificates so that you gain visibility across all certificates–even shadow IT–and won’t be caught out of date.

2. Standardize practices and policies. No matter how many certificates you have to manage, determine your standard practices and document them thoroughly. This saves time during training and provides transparency across your organization, so everyone knows the security practices to follow.

3. Prevent outages by automating certificate lifecycle management. Automating the lifecycle gives you confidence that critical systems won’t go offline if you miss a calendar reminder or a note in a spreadsheet. Automated tasks take care of the easily repeatable actions in certificate management and prevent errors, so you have peace of mind.

With good planning and the help of automated tasks, your ability to maintain crucial digital certificates will be a matter of routine, freeing you up for more important tasks.

Establishing trust with digital certificates is essential, and Keyfactor is here to help! Check out our resources to learn how the Keyfactor platform handles all types of certificates and delivers high-quality certificate management. You can read the latest industry news here and request a demo here.