Digital certificates are defined by the X509v3 format and have become the de facto standard for most security operations that involve identity verification. The identity of individuals, systems and applications can be asserted by a certificate with a 'public' key and its corresponding 'private' key. The public key is part of the certificate, along with other identity information and other digital security data.

For example, Avaya signs its applications with its private key and makes the corresponding certificate public. Anyone wishing to check the application, can take the certificate and use the public key to unlock the signature and verify:

One point from the above example is that the private key must remain private; anyone with access to the key can masquerade as Avaya.

To ensure greater trust, a trusted party can sign the public key and the information about its owner. A trusted party that issues digital certificates is called a certification authority (CA), similar to a governmental agency that issues drivers' licenses. A CA can be an external certification service provider or a government, or the CA can belong to the same organization as the entities it serves. CAs can also issue certificates to other subordinate CAs, which creates a tree-like certificate trust called a Public-Key Infrastructure (PKI):