Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
certificates and PKI question

Answered certificates and PKI question

  • Tuesday, November 27, 2012 12:53 PM
     
     
    Sign In to Vote
    0

    hi all,

    I am really trying to better understand certificates and PKI.

    I totally understand how certificates work and I also totally understand how PKI works however I have been doing some reading this morning about certificates and PKI but I think I have got myself confused.

    ok . . if I go into internet explorer > internet options > tools > content > certificates I then see a number of tabs which are - personal - other people - intermediate certificate authorities - trusted root certificate authorities - I can see lots of vendors certificates in the list under trusted root certificate authorities. However if I go to a website such as paypal (who are secure and do use a certificate) where does this certificate appear? Is it downloaded to my computer or not? I understand the certificate holds the public key but I do not understand where to certificate is and where it comes from?

    Why does internet explorer hold certificates for people like VeriSign? I thought VeriSign were just the CA who issue certificates for people such as paypal. I don't quite understand why all the CAs have their certificates listed within interne explorer.

    Sorry if my explanation isn't very clear . . . can someone help me understand the above?

    Thanks

     

All Replies

  • Tuesday, November 27, 2012 1:18 PM
     
     
    Sign In to Vote
    0

    > Is it downloaded to my computer or not?

    yes, it is downloaded for validation and SChannel negotiation.

    > Why does internet explorer hold certificates for people like VeriSign?

    can you clarify?

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

     
  • Tuesday, November 27, 2012 1:23 PM
     
     
    Sign In to Vote
    0

    OK, where is the cert downloaded to? for example if I go to paypal and the explorer bar turns green, I can click and view the cert from the explorer bar but where can I see it as a downloaded cert?

    here is a screen shot of the VeriSign cert on my machine. What are these certs for in this list?

     
  • Tuesday, November 27, 2012 5:12 PM
     
     Answered
    Sign In to Vote
    0

    > for example if I go to paypal and the explorer bar turns green, I can click and view the cert from the explorer bar but where can I see it as a downloaded cert?

    in web browser, obviously. It is downloaded into memory and is linked as a context handle to a current SSL sesstion. It is not installed anywhere.

    > What are these certs for in this list?

    these are trusted root certificates and are used to establish a trust to certificates and their chains.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

     
  • Wednesday, November 28, 2012 11:25 AM
     
     
    Sign In to Vote
    0

    no what I am saying or asking is . . why do some certs need to be installed and some can be used in memory?

    you use the word obviously . . its not obvious and this is what is causing my confusion, it seems some certs need installing and some run in memory like you said above.

    I understand that certs are used to establish trust but I want to understand in more depth which is why I though I would ask in this forum.

    just because something is obvious to you does not mean it is obvious to me.

     
  • Wednesday, November 28, 2012 4:49 PM
     
     Answered
    Sign In to Vote
    0

    > its not obvious and this is what is causing my confusion

    sorry, I was confused with your statement "I totally understand how certificates work and I also totally understand how PKI works".

    > it seems some certs need installing and some run in memory like you said above

    trusted root certificates must be installed in the store. If certain certificate chain ends up to any root certificate in Trusted Root CAs container (as you displayed in screenshots), the chain is considered trusted. Otherwise, not. There are other certificate store containers and they are used for other purposes.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

     
  • Monday, December 03, 2012 8:42 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Best Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.