As you likely noticed, there is a problem with the digital signature scheme described in What are digital signatures?. It proves that a message was sent by a given party, but how do we know for sure that the sender really is who she says she is. What if someone claims to be Alice and signs a message, but is actually Amanda? We can improve our security by using digital certificates which package an identity along with a public key and is digitally signed by a third party called a certificate authority or CA.

A certificate authority is an organization that verifies the identity, in the real-world physical sense, of a party and signs that party's public key and identity with the CA private key. A message recipient can obtain the sender's digital certificate and verify (or decrypt) it with the CA's public key. This proves that the certificate is valid and allows the recipient to extract the sender's public key to verify his signature or send him an encrypted message. Browsers and the JDK itself come with built-in certificates and their public keys from several CAs.

JDK 1.4 supports the X.509 Digital Certificate Standard.