← Concepts
General Security ConceptsSY0-701 · Task 1.4

Digital certificates — SY0-701

What digital certificates are, how they bind a public key to an identity, and the exam traps around revocation and trust chains for Security+ SY0-701.

WHAT IT IS

A digital certificate is a set of data that uniquely identifies a public key, names the entity authorized to use it, and is digitally signed by a certification authority (CA), thereby binding the public key to that entity. (NIST FIPS 186-5)

A CA is a trusted entity that issues and revokes public key certificates. (NIST SP 1800-16B)

The certificate may also carry additional information — such as how the key is permitted to be used and the validity period of the certificate. (NIST SP 800-57 Part 1 Rev. 5)

Mental model

Think of a digital certificate as a government-issued ID card for a public key. The CA plays the role of the government: it has already verified the applicant's identity, then stamps and signs the card so that anyone who trusts the government can trust the card without re-verifying the applicant directly. The card binds the face (public key) to the name (identity). The CA's own digital signature is what makes that binding trustworthy.

When to use it

Digital certificates solve the key-authenticity problem: when you receive a public key, you have no way of knowing it genuinely belongs to whom you think it does — unless a trusted third party has certified that binding. Certificates are the mechanism PKI uses to provide that assurance.

SituationMechanismWhy certificates matter
You need to verify a server's identityTLS handshakeThe server presents a certificate; your client checks the CA's signature
You need to verify a software publisherCode-signing certificateThe CA-signed certificate binds the publisher's identity to their public key
A certificate may have been compromisedRevocation checkCRL or OCSP is consulted before trusting the certificate
You trust a CA, but the signer is an intermediate CACertificate chainEach certificate in the chain was issued by the CA above it

Certificate chain (chain of trust)

A certificate chain is an ordered list that starts with an end-entity certificate, includes one or more CA certificates, and ends with the root CA certificate, where each certificate is signed by the CA above it in the chain. (NIST SP 1800-16B)

Revocation

A certificate may need to be invalidated before its validity period expires — for example, if the corresponding private key is compromised. Two grounded mechanisms exist:

  • Certificate Revocation List (CRL): A list of revoked public key certificates created and digitally signed by a CA. (NIST FIPS 201-3, adapting RFC 5280)
  • Online Certificate Status Protocol (OCSP): An online protocol used to determine the status of a public key certificate. (NIST FIPS 201-3, derived from RFC 6960)

COMMON MISCONCEPTION

The certificate IS NOT the public key, and it IS NOT the encryption itself. A certificate contains the public key and asserts who owns it — it is evidence of a binding, not the cryptographic key itself. The CA's digital signature on the certificate provides the assurance; the public key inside is what relying parties then use for cryptographic operations.

A second common confusion: a CA's signature on a certificate uses the CA's private key (asymmetric signing), which any relying party can verify using the CA's public key. Candidates sometimes invert this and believe the CA uses its public key to sign — but a digital signature is always produced with the private key and verified with the public key. (NIST FIPS 186-5 definition of digital signature)

A third trap: certificates do not prove a private key is secure — they only bind the public key to an identity at the moment of issuance. If the private key is later compromised, the certificate must be revoked; the certificate itself carries no ongoing proof that the private key remains under sole control.

How it shows up on the exam

The exam tests whether candidates can distinguish what the certificate proves (identity binding to a public key, attested by a CA) from what it does not prove (the security of the private key, the validity of the key after issuance, or the encryption of data). Scenario-based questions often involve an entity that can no longer be trusted — the expected response involves revocation via CRL or OCSP rather than simply deleting or reissuing without revocation.

Candidates are also assessed on chain-of-trust logic: when a question describes a hierarchy of CAs, understanding that each certificate in the chain is signed by the CA above it is the reasoning required — not just knowing that "a CA signs certificates" in a flat sense.

Signal phrases to recognize: "bind," "revoke," "chain of trust," "certificate authority," "CRL," "OCSP," "validity period," and any scenario where a private key may be compromised.

Related concepts

  • Public Key Infrastructure — the policies, procedures, hardware, software, and people that create, manage, distribute, use, store, and revoke digital certificates
  • Symmetric Encryption — encryption using the same key for both operations; certificates are used to distribute asymmetric keys, not symmetric ones
  • Asymmetric Encryption — the key-pair cryptography that certificates are built upon; the CA uses asymmetric signing to bind identity to a public key

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.