Historical Content Alert

This is a historical content for Windows NT 4.0 product and is presented for informative purposes only. All content in this directory is copyrighted and owned by Microsoft.

Digital Certification

A primary goal of a digital certificate is to confirm that the public key contained in a certificate is the public key belonging to the person or entity to whom the certificate is issued. For example, a Certificate Authority (CA) may digitally sign a special message (known as certificate information) containing the name of a user (in this case "Alice,"), as well as her public key in such a way that anyone can verify that the certificate information message was signed by no one other than the CA. Thereby, trust in the public key designated for "Alice" is confirmed.

The typical implementation of digital certification involves a signature algorithm for signing the certificate. The process follows these steps:

  1. Alice sends a certificate request containing her name and public key to a CA.

  2. The CA creates a special message m from this request, which constitutes most of the certificate data. The CA signs the message with its private key and obtains a separate signature sig. The CA then returns the message m and the signature sig to Alice. Together, the two parts form a certificate.

  3. Alice sends the certificate to Bob which conveys trust in her public key.

  4. Bob verifies the signature sig using the CA public key. If the signature is verified, the public key designated for Alice is accepted.

As with any digital signature, anyone can verify, at any time, that the certificate was signed by the Certificate Authority (CA), without access to privileged information.

This scenario assumes that Bob knows the specific CA public key. The public key could be obtained from a copy of the CA certificate, which contains the public key.

Since certificates have a valid time duration, it is possible for the certificate to expire and no longer be valid. A certificate is valid only for the period of time specified by the CA that issued the certificate. The certificate contains information about the beginning and expiration dates. If a user attempts to obtain access to a secured server by using an expired certificate, server authentication software will automatically reject the access request. Users can renew certificates before the expiration date to avoid this situation.

It is also possible for certificates to be revoked by the CA for other reasons. To handle this situation, the CA maintains a list of revoked certificates. This list is called a certificate revocation list (CRL), and is available to network users to determine validity of any given certificate.

Share this article: