10: Security SettingsEDS-MD® Medical Device Server User Guide 70Digital CertificatesThe goal of a certificate is to authenticate its sender. It is analogous to a paper document thatcontains personal identification information and is signed by an authority, for example a notary orgovernment agency. With digital certificates, a cryptographic key is used to create a unique digitalsignature.Trusted AuthoritiesA private key is used by a trusted certificate authority (CA) to create a unique digital signature.Along with this private key is a certificate of authority, containing a matching public key that can beused to verify the authority's signature but not re-create it.A chain of signed certificates, anchored by a root CA, can be used to establish a sender'sauthenticity. Each link in the chain is certified by a signed certificate from the previous link, withthe exception of the root CA. This way, trust is transferred along the chain, from the root CAthrough any number of intermediate authorities, ultimately to the agent that needs to prove itsauthenticity.Obtaining CertificatesSigned certificates are typically obtained from well-known CAs, such as VeriSign, Inc. This isdone by submitting a certificate request for a CA, typically for a fee. The CA will sign the certificaterequest, producing a certificate/key combo: the certificate contains the identity of the owner andthe public key, and the private key is available separately for use by the owner.As an alternative to acquiring a signed certificate from a CA, you can act as your own CA andcreate self-signed certificates. This is often done for testing scenarios, and sometimes for closedenvironments where the expense of a CA-signed root certificate is not necessary.Self-Signed CertificatesA few utilities exist to generate self-signed certificates or sign certificate requests. The EDS-MDdevice servers also have the ability to generate its own self-signed certificate/key combo. You canuse XML to export the certificate in PEM format, but you cannot export the key. Hence, the internalcertificate generator can only be used for certificates that are to identify that particular EDS-MDmodule.Certificate FormatsCertificates and private keys can be stored in several file formats. Best known are PKCS12, DERand PEM. Certificate and key can be in the same file or in separate files. Additionally, the key canbe either be encrypted with a password or left in the clear. However, EDS-MD device serverscurrently only accepts separate PEM files, with the key unencrypted.Several utilities exist to convert between the formats.