Of all the many services that Windows 2000 offers, one of the least understood is probably Certificate Services. While it may seem that anything that has to do with cryptography is unnecessarily complex, understanding the main elements is certainly not difficult. Certificate Services exist for one primary purpose – to help in the creation of something referred to as a Public Key Infrastructure (PKI). The purpose of a PKI is simple – to allow data to be encrypted, to have users (or computers or services) authenticated and verified, and to have some system of trust that allows this all to work efficiently. You should also have an awareness of what certificates can be used for in Windows 2000 – in other words, why you should even care. Examples include authentication by Smart Cards, encrypting files and email messages, authenticating to web sites, authenticating computers for L2TP connections, and so forth – each of which relate to or rely on PKI in some respect. The key to understanding how a PKI works first involves understanding the two main elements that it is made up of – certificates and Certificate Authorities.
To make things easier, from now on I would suggest thinking of a certificate as being like a drivers license. For all intents and purposes, it is a piece of identification that tells something about you and can be used as proof of your identity. The most important detail about your driver’s license is that fact that it was issued by a trusted third party, more than likely a department of local government. The license bares the department logo or signature, and as such they vouch for your identity. The only reason that a drivers license works as identification is because we have established trust in the system – I believe that your license is real because it was issued by government, and also because I too carry a license which is proof of my identity. I trust the government and so do you, so the system works (whether you really think the government is trustworthy is another story). In this case, the government is acting as the trusted third party – the Certificate Authority (CA). So first and foremost, think of the certificate as something that can prove your identity, with the CA acting as the one who has actually verified that you are who you say you are.