In order for two entities to successfully exchange data that is protected using certificates, both entities must trust the same CA. In other words, by trusting a CA you are in effect trusting that someone else has verified identity, and you trust that verification is correct. In Windows, you trust a CA when a copy of the CA’s certificate is placed in your Trusted Root Certification Authorities store on your computer. Other operating systems have similar mechanisms.
In the event that you receive a certificate that is issued by a CA that is not in your Trusted Root Certification Authorities store, you will be prompted that the certificate does not come from a trusted source and you will be forced to take an action. You may choose to not trust the certificate, you may choose to trust only that one certificate, or you may choose to trust the CA that issued the certificate.
PKI in Action – SSL
The most common example of a functional PKI in action is the SSL protocol. When you access a web site with the prefix https you are accessing the site via SSL. There are two things that happen for this to be successful. First you must exchange a secret session key with the web server, and second you must verify the web server’s identity. The first step is beyond the scope of this article, but will be covered in another. The second step involves the client web browser requesting a copy of the server’s certificate.
Once a copy of the server’s certificate has been retrieved, your web browser validates that the certificate has not expired, and that the signature is valid. Finally, it ensure it was issued by a CA you have chosen to trust. Once this is accomplished, the session key is transmitted to the server, encrypted with the server’s public key, and your secure session can begin.
This was a crash course in how public certificate systems work, but it is by no means complete. There are many issues that surround the planning, implementation and maintenance of PKI systems. My next article in this series will cover the Windows Server 2003 Certificate Services product.