A digital certificate (or public key certificate) is a data structure signed by a CA that contains a public key, the name of the owner of the key, the certificate lifetime and further attributes. Standard file extensions are .cer, .cert and .pem.
For the encryption of a message for a recipient, a digital certificate is required which contains the public key of the recipient. A digital certificate may also serve for the strong authentication of users, servers or hardware components. It is also used for the validation of digital signatures.
With digital certificates a huge number of applications may be protected on a very high level. The certificates of a PKI may be used for secure E-Mail, Web-Security, Windows SmartCard-Logon, VPN, File and Folder encryption as well as for digital signatures.
X.509 is an ITU-T recommendation for the structure and usage of digital certificates. X.509 certificates are supported by major operating systems and applications.
A Certificate Authority (CA) is a trusted third party that signs digital certificates or certificate revocation lists (CRLs) with its own private key.
A certificate revocation list (CRL) contains the serial numbers of certificates that have been revoked and therefore must not be used any more. It can contain further information as the time of revocation and the revocation reason code.
A certificate chain contains all certificate from a user or computer (end entity certificate) via the issuing CA and intermediate CAs (intermediate CA certificate) up to a trusted root CA (root CA certificate).
PKCS#12 is a standard of RSA Labs that specifies a portable format for storing or transporting a user's private keys, certificates etc. A PKCS#12 container can be encrypted using a password. Standard file extensions are .p12 and .pfx.
A PKI token is a crypto hardware component usually in the form factor of a USB dongle. Typically, this USB dongle contains a smart card chip where the crypto operations are performed and private keys and certificates are stored. So, it combines security and usability, as no additional smart card reader is needed. While this is a feasible tool for Windows computers, support for mobile devices is mostly not available.
A Hardware Security Module (HSM) is a hardware component to generate and store private keys of a CA or other PKI services. Additionally, a HSM performs cryptographic operations. One can differentiate between dedicated and network HSMs. Dedicated HSMs are directly connected to one CA, whereas network HSMs can be used by multiple CAs.