1.1 What is a Digital Certificate?
A digital certificate, also known as a public key certificate or identity certificate, is an electronic document that bind the identity of the certificate owner to a pair of electronic encryption keys, (one public and one private), that can be used to encrypt and sign information digitally. The main purpose of the digital certificate is to ensure that the public key contained in the certificate belongs to the entity to which the certificate was issued, in other words, to verify that a person sending a message is who he or she claims to be.
The digital certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). The issuer shall be a certification service provider (CSP).
1.2 What is a Digital Signature?
A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, digital document, software installer or driver. As the digital equivalent of a handwritten signature or stamped seal, a digital signature offers far more inherent security, and it is intended to solve the problem of tampering and impersonation in digital communications.
Digital signatures can provide the added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can acknowledge informed consent by the signer.
To create a digital signature, the signing software creates a one-way hash of the data (email/document etc.) to be signed. The private key is then used to encrypt the hash. This encrypted hash, plus other information like the hashing algorithm used, is the digital signature.
You need a digital certificate to digitally sign a document. However, if you create and use a self-signed certificate the recipients of your documents will not be able to verify the authenticity of your digital signature. They will have to manually trust your self-signed certificate.
If you want the recipients of your documents to be able to verify the authenticity of your digital signature then you must obtain a digital certificate from a reputable CSP.
1.3 What is the Difference Between Electronic Signatures and Digital Signatures?
There are two types of online signatures – Digital and Electronic. An Electronic Signature is the electronic version of your hand-written signature. This includes methods such as using a tablet or mobile app to capture an image of a handwritten signature, typing your name into a signature box, signing for a delivery on the courier’s digital device, or agreeing to the terms and conditions of a particular document. Electronic signatures offer a less secure platform as there are no standards or coding techniques involved with them. The receiver cannot verify the identity of the sender.
A digital signature is much more than an electronic signature. Unlike electronic signatures, digital signatures come under specific standards and a stringent verification process. It involves the use of a code or algorithm to sign and validate the authenticity of a document. It becomes intrinsically linked to the content of the digital document using encryption. In order to use Digital signatures, you must obtain a digital certificate from the trusted CSP. The CSP thoroughly verifies your identity before issuing the certificate. Therefore, Digital signatures are very secure, hard to deny, are nearly always time stamped and represent the individual signatories by giving details of the person signing the document, such as full name, email address and company name – they are tied to the digital signature of the document through the certificate.
2.1 Can I obtain a digital certificate from NCA Root CA?
No, NCA root CA only issue certificates to accredited Certification Service Providers (CSPs) operating in Sri Lanka. CSPs issue digital certificates to end-users.
2.2 Who is a Subscriber/ End User?
Subscriber (End User) means a person or an organization who is by any technologies identified as an authentic signer of an electronic signature. A subscriber will always have a digital certificate issued to him by an authorized/accredited CSP. A subscriber is the entity named as the end-user of a certificate.
2.3 How can I obtain a digital certificate in Sri Lanka?
You may obtain a digital certificate from NCA’s accredited/authorized CSP in Sri Lanka.
2.4 Who are the accredited/authorized CSPs in Sri Lanka?
The list of accredited/authorized CSPs in Sri Lanka is available at www.nca.gov.lk/csp
2.5 How can I obtain a digital certificate from NCA’s accredited/authorized CSP?
You may follow the procedures (or guidelines) given in the respective web site of the CSP.
2.6 In which form will I receive my Digital Certificate?
You will receive your unique key and certificate in a personalized secure electronic device called USB token and a Personal Identification Number (PIN)
3.1 How can I sign a document digitally using my digital certificate?
To sign pdf documents, follow the guidelines issued by your CSP (Ex: https://www.lankaclear.com/knowledge-center/lankasign/ )
4.1 For the verification of Digital Signature of any electronic data, is it required to have the certificates of the signer and the CSP?
Signer's certificate and the complete issuer chain of certificates up to the Root certificate are required. The chain may either be part of Digital Signature or be made available to the verifier by the application service provider.
Currently, the certificate of the NCA Root CA is not in the trusted roots of the commonly used applications. Hence, the root certificate of the authorized CSP who issued the digital certificate to the signer shall be downloaded and imported to the verification system/application (one time).
4.2 How can a digitally signed document be verified after the digital certificate associated with the Public Key has expired/revoke?
The digital signature verification process for a document requires the signer’s public key, issuer (CSP) certificates and their CRLs. CSP will make available its certificates and CRLs till the expiry of digital certificates. For the requirements of verification beyond expiry of digital certificates, the application should therefore have a provision to locally store digital certificate issuer’s (CSP) certificate and their CRL’s at the time when the document was digitally signed.
4.3 What is a CRL?
The Certificate Revocation List (CRL) is a list of certificates that have been revoked by the CA (CSP) and therefore no longer valid and is downloaded from the CSP.
4.4 What is OCSP?
Online Certificate Status Protocol (OCSP) is a protocol for checking revocation of a single certificate interactively using an online service called an OCSP responder.