Certificates are available as an extension to the concept of public and private keys. In this case, the public key is digitally signed by a certification authority (abbreviated CA), digitally. For larger systems, this enables a remote system to use the digital signature to determine whether a key is valid without the key itself being installed beforehand.

For the Intra2net system, such a certification authority generally has few advantages, but the Intra2net system consistently uses the certificate standard X.509. This standard has become established in practice instead of simple public/private key pairs.

In order to simplify the operation, the Intra2net system normally generates self-signed certificates, where the holder (called a subject) is also the certificate issuer. Therefore, no additional steps for the use of certificates are necessary. Of course however, external certification authorities can also be used.

Some peers, especially VPN client programs, cannot handle self-signed certificates. Therefore, it may make sense to create your own certification authority in the Intra2net system, which can then be used automatically to create certificates for the affected VPN client programs.