A database server certificate contains one or more digital signatures used to maintain data integrity and protect against tampering. Following are the steps used to create a digital signature:
An algorithm performed on a certificate generates a unique value or hash.
The hash is encrypted using a signing certificate's or Certificate Authority's private key.
The encrypted hash, called a digital signature, is embedded in the certificate.
A digital signature can be self-signed or signed by an enterprise root certificate or Certificate Authority.
When a client application contacts a database server, and each is configured to use transport-layer security, the server sends the client a copy of its certificate. The client decrypts the certificate's digital signature using the server's public key included in the certificate, calculates a new hash of the certificate, and compares the two values. If the values match, this confirms the integrity of the server's certificate.
If you are using FIPS-approved RSA encryption, you must generate your certificates using RSA.
For more information about self-signed certificates, see Self-signed root certificates.
For more information about enterprise root certificates and Certificate Authorities, see Certificate chains.