Using digital certificates
Applies To: Office Resource Kit
Topic Last Modified: 2008-05-09
In this article:
The examples shown in Using digital signatures were for self-signed certificates. These are certificates that are created by the 2007 Microsoft Office system and that can be used to digitally sign and encrypt 2007 Office system documents. Self-signed certificates are typically used by individuals and small businesses that do not want to set up a public key infrastructure (PKI) for their organizations and do not want to purchase a commercial certificate.
The primary drawback of using self-signed certificates is that they are only useful if you exchange documents with those who know you personally and are confident that you are the actual originator of the document. With self-signed certificates, there is no third party that validates the authenticity of your certificate. Each person who receives your signed document must decide whether to trust your certificate.
For larger organizations, two other options are available: certificates that are created by using a corporate PKI and commercial certificates. Organizations that want to share signed documents only among other employees in the organization might prefer a corporate PKI to reduce costs. Organizations that want to share signed documents with people outside of their organization might prefer a commercial certificate.
Organizations have the option to create their own PKI. In this scenario, the company sets up one or more certification authorities (CAs) that can create digital certificates for computers and users throughout the company. When combined with the Active Directory directory service, a company can create a complete PKI solution so that all corporate-managed computers have the corporate CA chain installed and that both users and computers are automatically assigned digital certificates for document signing and encryption.
For more information about using a Microsoft PKI, see Public Key Infrastructure for Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=119113).
Commercial certificates are purchased from a company whose line of business is to sell digital certificates. The main advantage of using commercial certificates is that the commercial certificate vendor’s root CA certificate is automatically installed on Windows operating systems, which enables these computers to automatically trust these CAs. Unlike the corporate PKI solution, commercial certificates enable you to share your signed documents with users who do not belong to your organization.
There are three types of commercial certificates:
Class 1 Class 1 certificates are issued to individuals who have valid e-mail addresses. Class 1 certificates are appropriate for digital signatures, encryption, and electronic access control for non-commercial transactions where proof of identity is not required.
Class 2 Class 2 certificates are issued to individuals and devices. Class 2 individual certificates are appropriate for digital signatures, encryption, and electronic access control in transactions where proof of identity based on information in the validating database is sufficient. Class 2 device certificates are appropriate for device authentication; message, software, and content integrity; and confidentiality encryption.
Class 3 Class 3 certificates are issued to individuals, organizations, servers, devices, and administrators for CAs and root authorities (RAs). Class 3 individual certificates are appropriate for digital signatures, encryption, and access control in transactions where proof of identity must be assured. Class 3 server certificates are appropriate for server authentication; message, software, and content integrity; and confidentiality encryption.
For more information about commercial certificates, see Digital ID – Office Marketplace (http://go.microsoft.com/fwlink/?LinkId=119114).