Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
A public key certificate, usually just called a certificate, is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. Most certificates in common use are based on the X.509v3 certificate standard. For references to extensive information about public key cryptography, see Certificates Resources.
Certificates can be issued for a variety of functions such as Web user authentication, Web server authentication, secure e-mail (using Secure/Multipurpose Internet Mail Extensions, also called S/MIME), Internet Protocol security (IPSec), Transport Layer Security (TLS), and code signing. Certificates are also issued from one certification authority (CA) to another in order to establish a certification hierarchy.
The entity that receives the certificate is the subject of the certificate. The issuer and signer of the certificate is a certification authority.
Typically, certificates contain the following information:
The subject's public key value.
The subject's identifier information, such as the name and e-mail address.
The validity period (the length of time that the certificate is considered valid).
Issuer identifier information.
The digital signature of the issuer, which attests to the validity of the binding between the subject’s public key and the subject’s identifier information.
A certificate is valid only for the period of time specified within it; every certificate contains Valid From and Valid To dates, which set the boundaries of the validity period. Once a certificate's validity period has passed, a new certificate must be requested by the subject of the now-expired certificate.
In instances where it becomes necessary to undo the binding that is asserted in a certificate, a certificate can be revoked by the issuer. Each issuer maintains a certificate revocation list that can be used by programs when checking the validity of any given certificate.
One of the main benefits of certificates is that hosts no longer have to maintain a set of passwords for individual subjects who need to be authenticated as a prerequisite to access. Instead, the host merely establishes trust in a certificate issuer.
When a host, such as a secure Web server, designates an issuer as a trusted root authority, the host implicitly trusts the policies that the issuer has used to establish the bindings of certificates it issues. In effect, the host trusts that the issuer has verified the identity of the certificate subject. A host designates an issuer as a trusted root authority by placing the issuer's self-signed certificate, which contains the issuer's public key, into the trusted root certification authority certificate store of the host computer. Intermediate or subordinate certification authorities are trusted only if they have a valid certification path from a trusted root certification authority.
For more information about certificates, see Understanding Certificates.
Because certificates are generally used to establish identity and create trusts for the secure exchange of information, certification authorities (CAs) can issue certificates to people, to devices (such as computers), and to services running on computers (such as IPSec).
In some cases, computers must be able to exchange information with a high degree of confidence in the identity of the other device, service, or person involved in the transaction. In some cases, people need to exchange information with a high degree of confidence in the identity of the other person, computer, or service involved in the transaction. Applications and services that run on computers also frequently need to verify that they are accessing information from a trusted source.
In circumstances where two entities--such as devices, persons or applications or services--attempt to establish identity and trust, the fact that both entities trust the same certification authority allows the bond of identity and trust to be established between them. Once a certificate subject has presented a certificate issued by a trusted CA, the entity attempting to establish trust can proceed with an information exchange by storing the certificate subject's certificate in its own certificate store, and, where applicable, using the public key contained in the certificate to encrypt a session key so that all subsequent communications to the certificate subject are secure.
For example, when using the Internet for online banking, it is important to know that your Web browser is communicating directly and securely with your bank's Web server. Your Web browser must be able to achieve Web server authentication before a safe transaction can occur. That is, the Web server must be able to prove its identity to your Web browser before the transaction can proceed. Microsoft® Internet Explorer uses Secure Sockets Layer (SSL) to encrypt messages and transmit them securely across the Internet, as do most other modern Web browsers and Web servers.
When you connect using an SSL-enabled browser to an online banking Web server that has a server certificate from a certification authority such as Verisign, the following events occur:
You access your bank's secured online banking login Web page using your Web browser. If you use Internet Explorer, a locked-padlock icon will appear in the lower right corner of the browser status bar to indicate that the browser is connected to a secure Web site. Other browsers depict secure connections in other ways.
The bank's Web server automatically sends a server certificate to your Web browser.
To authenticate the Web server, your Web browser checks the certificate store on your computer. If the certification authority that issued the certificate to your bank is trusted, the transaction can proceed, and the bank certificate is stored in your certificate store.
To encrypt all communications with the bank Web server, your Web browser creates a unique session key. Your Web browser encrypts the session key with the bank Web server certificate so that only the bank Web server can read messages sent by your browser. (Some of these messages will contain your login name and password and other sensitive information, so this level of security is necessary.)
The secure session is established, and sensitive information can be sent between your Web browser and the bank's Web server in a secure manner.
For more information, see Security with Certificates.
Certificates can also be used to verify the authenticity of software code that you download from the Internet, install from your company intranet, or purchase on CD-ROM and install on your computer. Unsigned software--software that does not have a valid software publisher's certificate--can pose a risk to your computer and the information you store on your computer.
When software is signed with a valid certificate from a trusted certification authority, you know that the software code has not been tampered with and can be safely installed on your computer. During software installation, you are prompted to verify that you trust the software manufacturer (for example, Microsoft Corporation). You may also be offered the option to always trust software content from that particular software manufacturer. If you choose to trust content from the manufacturer, their certificate goes into your certificate store and other software installations of their products can occur with a circumstance of predefined trust. In the circumstance of predefined trust, you can install software from the manufacturer without being prompted to indicate whether they are trusted; the certificate on your computer states that you trust the manufacturer of the software.
As with other certificates, those certificates used to verify the authenticity of software and the identity of a software publisher can have other purposes. For example, when the Certificates snap-in is set to view certificates by purpose, the Code Signing folder might contain a certificate issued to Microsoft Windows Hardware Compatibility by the Microsoft Root Authority. This single certificate has three purposes:
It ensures that the software came from the software publisher.
It protects software from alteration after publication.
It provides Windows hardware driver verification.
Certificate use in organizations
Many organizations install their own certification authorities and issue certificates to internal devices, services, and employees to create a more secure computing environment. Large organizations may have multiple certification authorities, set up in a hierarchy that leads to a root certification authority. Thus, an employee of an organization may have a multitude of certificates in their certificate store that have been issued by a variety of internal certification authorities, all of whom share a trust connection via the certification path to the root certification authority.
When an employee logs in to the organization's network from home using a virtual private network (VPN), the VPN server can present a server certificate to establish its identity. Because the corporate root authority is trusted and the corporate root certification authority issued the certificate of the VPN server, the client computer can proceed with the connection and the employee knows his computer is actually connected to his organization's VPN server.
The VPN server must also be able to authenticate the VPN client before data can be exchanged over the VPN connection. Either computer-level authentication occurs with the exchange of computer certificates or user-level authentication occurs though the use of a Point-to-Point Protocol (PPP) authentication method. For L2TP (Layer 2 Tunneling Protocol)/IPSec connections, computer certificates are required for both the client and server.
For more information, see Authentication of VPN clients, Computer certificates for L2TP/IPSec VPN connections, and Remote access VPN design considerations.
The client computer certificate may serve multiple purposes, most of which are based in authentication, allowing the client to use many organizational resources without the need for individual certificates for each resource. For example, the client certificate might allow VPN connectivity as well as access to the company store intranet site, to product servers, and to the human resources database where employee data is stored.
The VPN server certificate might also serve multiple purposes. The same certificate might have the purpose of verifying the identity of e-mail servers, Web servers, or application servers. The certification authority that issues the certificate determines the number of purposes for each certificate.
Certificates issued to persons
You can purchase a certificate from a commercial certification authority, such as Verisign, to send personal e-mail messages that are encrypted for security or digitally signed to prove authenticity.
Once you have purchased a certificate and you use it to digitally sign an e-mail message, the message recipient can verify that the message has not been altered during transit and that the message came from you--assuming, of course, that the message recipient trusts the certification authority that issued your certificate.
When you encrypt an e-mail message, nobody can read the message while it is in transit, and only the message recipient can decrypt and read the message.
Certificates and applications
Most e-mail clients allow you to automatically sign or encrypt e-mail messages or to encrypt or sign messages on an individual basis. Microsoft applications that allow e-mail messages to be digitally signed or encrypted are Microsoft Outlook® 2000, Microsoft Outlook Express and Microsoft Outlook 98.
Many Windows applications use certificates. Here are some links and information about how certificates can be used with Microsoft Internet Information Services (IIS), Microsoft Outlook 2003, Microsoft Outlook Express, and Microsoft Internet Explorer.
Internet Information Services certificates information
IIS certificate storage is integrated with the CryptoAPI storage. The Certificates snap-in provides a single point of entry that lets administrators store, back up, and configure server certificates.
IIS comes with three security task wizards that simplify most of the security tasks necessary to maintain a secure Web site. You can use the Web Server Certificate Wizard to manage Secure Sockets Layer (SSL) features in IIS and server certificates. Certificates are used in negotiating a secure link between your server and a user's browser. You can use the CTL Wizard to manage certificate trust lists (CTLs). Certificate trust lists are lists of trusted certification authorities for each Web site or virtual directory. You can use the IIS Permissions Wizard to assign Web and NTFS access permissions to Web sites, virtual directories, and files on your server.
For more information about the use of certificates in IIS, see the Microsoft Web site.
Outlook 2003 certificates information
"Set Up Security for Internet E-mail Messages" on the Microsoft Web site.
Internet Explorer certificates information:
Internet Explorer 6.0 Resource Kit on the Microsoft Web site.
Other Microsoft resources on certificates include Knowledge Base articles:
"Description of Symmetric and Asymmetric Encryption" on the Microsoft Web site.
"Using a Certificate Authority for the Encrypting File Service" on the Microsoft Web site.
"Best Practices for Encrypting File System" on the Microsoft Web site.
Certificate import and export
If you have certificates you want to use on other computers, you can export your certificates for import to other computers. For more information, see Importing and exporting certificates and Import and Export Certificates.
The certificate store
There are four basic sources for the certificates found in the certificate stores on your computer:
The certificate is included with your installation of Windows Server 2003 and comes on the Windows Server 2003 CD.
You use an application such as an Internet browser to engage in a SSL session, during which certificates are stored on your computer after establishment of trust.
You explicitly choose to accept a certificate, as when you install software or receive an encrypted or digitally signed e-mail from others.
You request a certificate from a certification authority, such as a certificate needed to access specific organizational resources.
Over time, as you use the Internet and connect to servers that use certificates for authentication and other purposes, the certificate store on your computer will gain entries. Some certificates may have one purpose, such as server authentication or client authentication, while other certificates may serve multiple purposes. The certification authority that issues the certificate determines the purpose or purposes the certificate may serve.
Although Internet Explorer and Windows store certificates in the same certificate stores, they allow different views of the certificate stores. For more information, see Set Display Options of the Certificates Snap-in in Certificates Help. To better understand how the Certificates snap-in displays the certificate store, see Certificate stores.
By using the Certificates snap-in, you can view certificates by logical store or by purpose. If you view certificates by purpose, a certificate with multiple purposes will appear listed in every folder that defines a purpose for which the certificate can be used.
The Certificates snap-in
You can use the Certificates snap-in to manage certificates for users, computers, or services.
Users and administrators can use the Certificates snap-in to request new certificates from Windows 2000 and enterprise certification authorities. In addition, users can find, view, import, and export certificates from within certificate stores. However, in most cases, users do not have to personally manage their certificates and their certificate stores. That can be accomplished by administrators, by policy settings, and through programs that use certificates.
Administrators are the primary users of the Certificates snap-in and, as such, they are able to perform a wide variety of certificate management tasks in their personal certificate store as well as the certificate stores for any computer or service that they have the right to administer.
For more information, see Requesting certificates