You are currently offline, waiting for your internet to reconnect

Description of Digital Certificates

This article was previously published under Q195724
This article contains a description of digital certificates.

General Information

The main purpose of the digital certificate is to ensure that the publickey contained in the certificate belongs to the entity to which thecertificate was issued.

Encryption techniques using public and private keys require a public-keyinfrastructure (PKI) to support the distribution and identification ofpublic keys. Digital certificates package public keys, information aboutthe algorithms used, owner or subject data, the digital signature of aCertificate Authority that has verified the subject data, and a daterange during which the certificate can be considered valid.

Without certificates, it would be possible to create a new key pair anddistribute the public key, claiming that it is the public key for almostanyone. You could send data encrypted with the private key and the publickey would be used to decrypt the data, but there would be no assurancethat the data was originated by anyone in particular. All the receiverwould know is that a valid key pair was used.

Certificate Authorities

Certificates are signed by the Certificate Authority (CA) that issuesthem. In essence, a CA is a commonly trusted third party that is reliedupon to verify the matching of public keys to identity, e-mail name, orother such information.

The benefits of certificates and CAs occur when two entities both trustthe same CA. This allows them to learn each other's public key byexchanging certificates signed by that CA. Once they know each other'spublic key, they can use them to encrypt data and send it to one another,or to verify the signatures on documents.

A certificate shows that a public key stored in the certificate belongsto the subject of that certificate. A CA is responsible for verifying theidentity of a requesting entity before issuing a certificate. The CA thensigns the certificate using its private key, which is used to verify thecertificate. A CA's public keys are distributed in software packages suchas Web browsers and operating systems, or they can also be added manuallyby the user.

Software that is designed to take advantage of the PKI maintains a listof CAs that it trusts.

To view the list of CAs that Internet Explorer trusts, use the appropriate method:

Internet Explorer 3.x

On the View menu, click Options, click the Security tab, and then click Publishers.

Internet Explorer 4.x

On the View menu, click Internet Options, click the Content tab, and then click Publishers.

Internet Explorer 5

On the Tools menu, click Internet Options, click the Content tab, and then click Certificates.

A list of CAs that are included in Microsoft products is available at thefollowing Microsoft Web site:

Certificate Types

There are four kinds of digital certificates used on the Internet:

Personal Certificates:

These certificates identify individuals. They may be used to authenticateusers with a server, or to enable secure e-mail using S-Mime. Microsoft recommends exporting your personal certificates to a safe location as a form of backup in case your certificates are damaged. If a password list file (.pwl) becomes damaged or missing, the certificate is not available for use, and you may receive an error message when you try to send e-mail. For more information about this issue see the following articles in the Microsoft Knowledge Base:
190296 Unable to Use Personal Certificates in Outlook Express
132807 Enhanced Encryption for Windows 95 Password Cache

Server Certificates:

Server certificates identify servers that participate in securecommunications with other computers using communication protocols such asSSL. These certificates allow a server to verify its identity to clients.Server certificates follow the X.509 certificate format that is definedby the Public-Key Cryptography Standards (PKCS).

Software Publisher Certificates:

Microsoft Authenticode does not guarantee that signed code is safe torun, but rather informs the user whether or not the publisher isparticipating in the infrastructure of trusted publishers and CAs. Thesecertificates are used to sign software to be distributed over theInternet.

Authenticode requires a software publisher certificate to sign MicrosoftActiveX and other compiled code. Internet Explorer is also capable oftrusting software that is signed with a publisher's certificate.

To view a list of trusted software publishers in Internet Explorer, clickInternet Options on the Tools menu, click the Content tab, and then click Publishers. You can also remove trusted publishers by clicking Remove in this screen.

Certificate Authority Certificates:

Internet Explorer 5 divides CAs into two categories, Root CertificationAuthorities and Intermediate Certification Authorities. Root certificatesare self-signed, meaning that the subject of the certificate is also thesigner of the certificate. Root Certification Authorities have theability to assign certificates for Intermediate CertificationAuthorities. An Intermediate Certification Authority has the ability toissue server certificates, personal certificates, publisher certificates,or certificates for other Intermediate Certification Authorities.

For example, if you click Certificates on the Content tab in the InternetExplorer Properties dialog box, a list of certificates that are installedon your computer is displayed. There is a trusted Root Authority listedas "Class 1 Public Primary Certification Authority" (which is run byVeriSign). This certificate is issued and signed by the Class 1 PublicPrimary Certificate Authority, and is therefore a root certificate. Onthe Intermediate Certification Authorities tab, there are severalcertificates listed as "VeriSign Class 1 CA." The root certificatementioned above issued these certificates. These Intermediate CertificateAuthorities were created for the purpose of issuing and validatingpersonal digital certificates, so if a person has obtained a Class 1personal digital certificate from VeriSign, it will be issued by one ofthese Intermediate CAs. This creates what is known as a verificationchain. In this case, there are only three certificates in theverification chain for a personal certificate. However, verificationchains can contain a large number of certificates depending upon thenumber of Intermediate Certification Authorities in the chain.

The verification chain for a certificate can be viewed by double-clickingthe certificate and then clicking the Certification Path tab.

How a Certificate Is Issued

  1. Key Generation: The individual requesting certification (the applicant, not the CA) generates key pairs of public and private keys.
  2. Matching of Policy Information: The applicant packages the additional information necessary for the CA to issue the certificate (such as proof of identity, tax ID number, e-mail address, and so on). The precise definition of this information is up to the CA.
  3. Sending of Public Keys and Information: The applicant sends the public keys and information (often encrypted using the CA's public key) to the CA.
  4. Verification of Information: The CA applies whatever policy rules it requires in order to verify that the applicant should receive a certificate.
  5. Certificate Creation: The CA creates a digital document with the appropriate information (public keys, expiration date, and other data) and signs it using the CA's private key.
  6. Sending/Posting of Certificate: The CA may send the certificate to the applicant, or post it publicly as appropriate.
  7. The certificate is loaded onto an individual's computer.

Certificate Revocation

CAs publish certificate revocation lists (CRLs) containing certificatesthat have been revoked by the CA. The certificate holder's private keymay have been compromised, or false information may have been used toapply for the certificate. CRLs provide a way of withdrawing acertificate after it has been issued. CRLs are made available fordownloading or online viewing by client programs.

To verify a certificate, all that is necessary is the public key of theCA and a check against the CRL published by that CA. Certificates and CAsreduce the public-key distribution problem of verifying and trusting one(or more) public keys per individual. Instead, only the CA's public keymust be trusted and verified, and then that can be relied on to allowverification of other certificates. Internet Explorer 5 can be set tocheck for the validity of certificates on the Advanced tab in theInternet Explorer Properties dialog box.

Article ID: 195724 - Last Review: 01/23/2007 18:14:53 - Revision: 3.2

  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 4.01 Service Pack 1
  • Microsoft Internet Explorer 4.0 128-Bit Edition
  • Microsoft Internet Explorer 3.02
  • Microsoft Internet Explorer 3.01
  • Microsoft Internet Explorer 3.0
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 4.01 Service Pack 1
  • Microsoft Internet Explorer 4.0 128-Bit Edition
  • Microsoft Internet Explorer 3.02
  • Microsoft Internet Explorer 3.01
  • Microsoft Internet Explorer 3.0
  • Microsoft Internet Explorer 6.0
  • kbinfo KB195724