In recent months, I have been involved in a project that required some basic knowledge of cryptography, such as verifying the signature of downloaded artifacts. Additionally, as an interviewer, I had the opportunity to ask candidates questions about the fundamentals of cryptography while seeking to expand our team. Surprisingly, despite their impressive software development skills, including experience as Leads, Seniors, and professionals with over 10-20 years of experience, as well as university degrees in Computer Science and vendor-specific certificates, none of the 8 candidates were able to answer a simple question – what is a digital certificate (or what is a x.509 digital certificate)? This realization led me to write this short article to share some knowledge and shed light on this topic.
When asking a question during an interview, there are specific key terms you hope to hear in the response. In this case, the key term is Public Key.
Several variants of answer what I would accept:
- “Digital certificate is a Public Key”:
– while not entirely accurate, this response is still more acceptable than vague answers like “it is something for ensuring authenticity.” - “Digital certificate is a Public Key with a digital signature”
– already much better than just “Public key”! - “Digital certificate is a data structure that holds the Public Key along with additional fields such as validity period, key usage, cryptographic algorithm, version, CRL, etc. This structure is digitally signed by a Certification Authority.”
– whould be nice to hear something like this.