Categories World Wide Web

Continued from Certificate Authorities

The most common form of digital certificates are signature certificates, which contain some base information (typically name, organization, and location, and often e-mail address), a public key, and a digital signature. The public key is used to verify the signature, and the signature is used to verify that the certificate is valid and has not been altered. Another common type of digital certificate is the key exchange certificate, which is used to encrypt information sent to another party. For instance, a CA key exchange certificate is used by clients to encrypt information sent to the CA.

When you request a signature certificate, a public/private key pair is generated (this can happen on the client/subscriber end or on the server) and the base information is sent to the CA. Note that each certificate-request generates a new key pair: Any existing keys are not used as this would be a potentially serious security flaw. The CA then generates the certificate, signs the public key (with the CA's private key), and sends it back to the requester (and optionally to a distribution system or repository).

You can distribute certificates through a variety of mechanisms: a directory server, e-mail, or mechanisms like VCards (see Figure 1). There are a variety of formats for certificates, but the X.509 Version 3 specification, originally published as part of the X.500 Directory recommendations, is currently the industry standard. X.509 certificates contain well-known fields as well as extension fields for storing additional data. The well-known fields are based on the LDAP naming convention, and they include:

C--country (two-letter code)
S--state or province (not abbreviated)
L--locality (typically the city)
O--organization (legal name)
OU--organization unit
CN--common name
E--e-mail address

You can list your installed certificates using the command-line Certmgr.exe utility that comes with the Windows Platform SDK, but first you have to know the name of the "store" where they are located. A system can have any number of stores (certificates might be stored individually in files, for example), but all systems will have a root store. To list the certificates in your root store, use the command certmgr -s root.

The list you get should include the CA certificates that appeared in IE4's Authorities dialog described earlier. Certmgr is a much handier tool than the UI method, though, because you can also use it to add and delete certificates or export them to other stores (including files). If you have more than a single certificate (which is likely), the output will quickly scroll off the screen. You can control this by piping the output through the DOS more command or by redirecting it to a text file.

FIGURE 1: You can distriubute your certificates through a variety of mechanisms, including Vcards.

Next: Secure Web Services

Published as PC Tech Feature in the 4/20/99 issue of PC Magazine.

Related Links
• Making E-Mail Secure -- PC Tech
• Internet Security Standards -- PC Tech