This section describes how to use various windows displayed at different times by Certificate Manager. The additional information given here appears when you click the Help button in one of those windows.
In this section: |
The Certificate Viewer displays information about a certificate you selected in one of the Certificate Manager tabs. The General tab summarizes information about who issued the certificate, its verification status, what the certificate can be used for, and so on. The Details tab provides complete details on the certificate's contents.
If you are not currently viewing the Certificate Viewer, follow these steps:
In this section: |
When you first open the Certificate Viewer, the General tab displays several kinds of information about the selected certificate:
Click the Details tab at the top of the Certificate Viewer to see more detailed information about the selected certificate. To examine information for any certificate in the Certificate Hierarchy area, select its name, select the field under Certificate Fields that you want to examine, and read the field's value under Field Value:
The Certificate Viewer displays basic ANSI types in human-readable form wherever possible. For fields whose contents the Certificate Manager cannot interpret, it displays the actual values contained in the certificate.
A security device (sometimes called a token) is a hardware or software device that provides cryptographic services such as encryption and decryption and stores certificates and keys. The Choose Security Device window appears when Certificate Manager needs help deciding which security device to use when importing a certificate or performing a cryptographic operation, such as generating keys for a new certificate. This window allows you to select one of two or more security devices that Certificate Manager has detected on your machine.
A smart card is one example of a security device. For example, if a smart card reader connected to your computer has a smart card inserted in it, the name of the smart card will show up in the drop-down menu. In this case, you must choose the name of the smart card from the menu to let Certificate Manager know that you want to use it.
The Certificate Manager also supplies its own default, built-in security device, which can always be used no matter what additional devices are or aren't available.
Certificate authorities (CAs) that issue separate signing and encryption email certificates typically make backup copies of your private encryption key during the certificate enrollment process.
The Encryption Key Copy dialog box allows you to approve the creation of such a backup or cancel the ceritificate request. A CA that has archived a backup copy of your encryption key has the potential capability of decrypting any messages you receive that were encrypted with your corresponding public key.
You can take these actions from the Encryption Key Copy dialog box:
If you are not sure whether to trust the CA that is requesting the backup copy, talk to your system administrator.
After your CA makes a backup copy of the encryption key, you will be able to use that key to access your encrypted mail even if you lose your password or lose your own copy of the key. If no backup copy of your encryption key exists and you lose your password or the key, you will have no way of reading email messages that were encrypted with that key.
When you receive a certificate, make a backup copy of the certificate and its private key, then store the copy in a safe place. For example, you can put the copy on a floppy disk and store it with other valuable items under lock and key. That way, even if you have hard disk or file corruption problems, you can easily restore the certificate.
It can be inconvenient, at best, and in some situations catastrophic to lose your certificate and its associated private key, depending on what you use it for. For example:
Like any other valuable data, certificates should be backed up to avoid future trouble and expense. Do it now so you don't forget.
Some web sites require that you identify yourself with a certificate rather than a name and password, because certificates provide a more reliable form of identification. This method of identifying yourself over the Internet is sometimes called client authentication.
However, Certificate Manager may have more than one certificate on file that can be used for the purposes of identifying yourself to a web site. In this case, Certificate Manager presents the User Identification Request dialog box, which displays two kinds of information:
This site has requested that you identify yourself with a certificate: This section of the dialog box lists the following information:
Choose a certificate to present as identification: The certificates you have available for the purposes of identifying yourself to a web site are listed in the drop-down list in this section of the dialog box. Choose the certificate that seems most likely to be recognized by the web site you want to visit.
To help you decide, the following details of the selected certificate are displayed:
The certificates that the Certificate Manager has on file, whether stored on your computer or on an external security device such as a smart card, include certificates that identify certificate authorities (CAs). To be able to recognize any other certificates it has on file, Certificate Manager must have certificates for the CAs that issued or authorized issuance of those certificates.
When you decide to trust a CA, Certificate Manager downloads that CA's certificate and can then recognize the kinds of certificates you trust that CA to issue.
Before downloading a new CA certificate, Certificate Manager allows you to specify the purposes for which you trust the certificate, if at all. You can select any of the following options:
Before you decide to trust a new CA, make sure that you know who is operating it. Make sure the CA's policies and procedures are appropriate for the kinds of certificates it issues. For example, if the CA issues certificates identifying web sites you use for financial transactions, make sure you are comfortable with the level of assurance the CA provides.
One of the windows listed here may appear when you attempt to go to a web site that supports the use of SSL for authentication and encryption.
In this section: Web Site Certified by an Unknown Authority |
Many web sites use certificates to identify themselves when you visit the site. If Certificate Manager doesn't recognize the certificate authority (CA) that issued a web site's certificate, it displays an alert that allows you to examine the new web site certificate and decide what to do.
You can choose one of these options from this alert:
Click OK to confirm your choice. If you click Cancel, Certificate Manager will not recognize the certificate as legitimate identification and will not connect to the web site.
Important note for server administrators: This alert may be triggered by a server that is not configured correctly. To find out if this is the case, the server administrator or webmaster for the site you are attempting to visit should check the status of any required intermediate CAs and if necessary, install the missing certificate in the server.
If you decide to contact the web site's webmaster about this issue, you can include the following information:
For advanced users: To ensure that Certificate Manager trusts all certificates issued by a given CA, you can edit the trust settings for the corresponding CA certificate. To do so, follow these steps:
Like a credit card, a driver's license, and many other forms of identification, a certificate is valid for a specified period of time. When a certificate expires, the owner of the certificate needs to get a new one.
Certificate Manager warns you when you attempt to visit a web site whose server certificate has expired. The first thing you should do is make sure the time and date displayed by your computer is correct. If your computer's clock is set to a date that is after the expiration date, Certificate Manager treats the web site's certificate as expired.
If your computer's clock is set correctly, you need to make a decision about whether to trust the site. This decision depends on what you intend to do at the site and what else you know about it. Most commercial sites will make sure that they replace their certificates before they expire.
You can take these actions from the Expired Server Certificate dialog box:
Be cautious about any actions you take while you are visiting the site.
Like a credit card, a driver's license, and many other forms of identification, a certificate is valid for a specified period of time.
Certificate Manager warns you when you attempt to visit a web site whose server certificate's validity period has not yet started. The first thing you should do is make sure the time and date displayed by your own computer is correct. If your computer's clock is set to the wrong date, Certificate Manager may treat the server certificate as not yet valid even if this is not the case.
If your computer's clock is set correctly, you need to make a decision about whether to trust the site. This decision depends on what you intend to do at the site and what else you know about it. Most commercial sites will make sure that the validity period for their certificates has begun before beginning to use them.
You can take these actions from the Server Certificate Not Yet Valid dialog box:
Be cautious about any actions you take while you are visiting the site.
A server certificate specifies the name of the server in the form of the site's domain name. For example, the domain name for the Netscape web site is home.netscape.com. If the domain name in a server's certificate doesn't match the actual domain name of the web site, it may be a sign that someone is attempting to intercept your communication with the web site.
The decision whether to trust the site anyway depends on what you intend to do at the site and what else you know about it. Most commercial sites will make sure that the host name for a web site certificate matches the web site's actual host name.
You can take these actions from the Domain Name Mismatch dialog box:
Be cautious about any actions you take while you are visiting the site, and treat any information you find there as potentially suspect.
If you decide to accept the certificate anyway for this session, you should be cautious about what you do on the web site, and you should treat any information you find there as potentially suspect.
8 October 2002
Copyright © 1994-2002 Netscape Communications Corporation.