A public key certificate contains attributes, typically including an identifier, that are tied to a public key via the use of a digital signature. These certificates are issued by a reliable certification authority (CA). A certificate contains: the subject’s name, the subject's public key, the validity period, and the issuer's name.
As part of the PKI registration process, a public key/private key pair is generated in a hardware or software cryptographic module that is under the control of the subscriber. The private key remains under the sole possession of the subscriber. A certificate authority (CA) enters the public key into an electronic public key certificate that also identifies the owner of the key, i.e. the subscriber. The trusted CA digitally signs the certificate thereby binding the public key to the subscriber, and makes the signed certificate available for use by other subscriber]s.
A subscriber's public key certificate is used by other subscribers, referred to as relying parties, to obtain the subscriber’s public key in a trusted manner. Once obtained, the public key is then used: (1) to encrypt data for that subscriber so that only that subscriber can decrypt it with their private key, or (2) to verify that digitally signed data was signed by that subscriber using their private key, thereby authenticating the identity of the signing subscriber, and the integrity of the signed data.