Tuesday, November 27, 2012 12:53 PM
I am really trying to better understand certificates and PKI.
I totally understand how certificates work and I also totally understand how PKI works however I have been doing some reading this morning about certificates and PKI but I think I have got myself confused.
ok . . if I go into internet explorer > internet options > tools > content > certificates I then see a number of tabs which are - personal - other people - intermediate certificate authorities - trusted root certificate authorities - I can see lots of vendors certificates in the list under trusted root certificate authorities. However if I go to a website such as paypal (who are secure and do use a certificate) where does this certificate appear? Is it downloaded to my computer or not? I understand the certificate holds the public key but I do not understand where to certificate is and where it comes from?
Why does internet explorer hold certificates for people like VeriSign? I thought VeriSign were just the CA who issue certificates for people such as paypal. I don't quite understand why all the CAs have their certificates listed within interne explorer.
Sorry if my explanation isn't very clear . . . can someone help me understand the above?
Tuesday, November 27, 2012 1:18 PM
> Is it downloaded to my computer or not?
yes, it is downloaded for validation and SChannel negotiation.
> Why does internet explorer hold certificates for people like VeriSign?
can you clarify?
Tuesday, November 27, 2012 1:23 PM
OK, where is the cert downloaded to? for example if I go to paypal and the explorer bar turns green, I can click and view the cert from the explorer bar but where can I see it as a downloaded cert?
here is a screen shot of the VeriSign cert on my machine. What are these certs for in this list?
Tuesday, November 27, 2012 5:12 PM
> for example if I go to paypal and the explorer bar turns green, I can click and view the cert from the explorer bar but where can I see it as a downloaded cert?
in web browser, obviously. It is downloaded into memory and is linked as a context handle to a current SSL sesstion. It is not installed anywhere.
> What are these certs for in this list?
these are trusted root certificates and are used to establish a trust to certificates and their chains.
Wednesday, November 28, 2012 11:25 AM
no what I am saying or asking is . . why do some certs need to be installed and some can be used in memory?
you use the word obviously . . its not obvious and this is what is causing my confusion, it seems some certs need installing and some run in memory like you said above.
I understand that certs are used to establish trust but I want to understand in more depth which is why I though I would ask in this forum.
just because something is obvious to you does not mean it is obvious to me.
Wednesday, November 28, 2012 4:49 PM
> its not obvious and this is what is causing my confusion
sorry, I was confused with your statement "I totally understand how certificates work and I also totally understand how PKI works".
> it seems some certs need installing and some run in memory like you said above
trusted root certificates must be installed in the store. If certain certificate chain ends up to any root certificate in Trusted Root CAs container (as you displayed in screenshots), the chain is considered trusted. Otherwise, not. There are other certificate store containers and they are used for other purposes.
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Monday, December 03, 2012 8:42 AM
Monday, December 03, 2012 8:42 AMModerator
As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.