Validating microsoft windows

In general, three main areas of a certificate are checked during validation: In many cases, certificates are designed to provide identification of the computer or person holding the corresponding private key.For example, when a user provides their Windows Live credentials to log on to a website the computer will validate that the certificate being used by the web server is authorized for the URL the user is accessing.Later, when version 3 of the X.509 standard was passed, the "Subject Alternative Name" (sometimes referred to as a "SAN" field) was added allowing the issuer additional flexibility in specifying the identity of the authenticating entity.Out-of-the-box this provided options to identify the certificate owner in any of the following ways (ref: The alternative is to present the AIA path using HTTP, a more common and Internet-friendly means of distribution.When using HTTP ensure that the web servers publishing the AIA path are highly available and scalable to handle requests from every client that may need to validate a certificate issued by the CA.When a CA issues a certificate the signing certificate's SKI is imprinted as the issued certificate's AKI prior to being signed thus asserting the relationship.To validate a certificate chain, the validating client must have access to every certificate up to and including the root CA.

Since root CAs do not have an issuer their certificate will not have all of the information available used to validate other types of certificates (i.e. Because of this, to establish trust with a root CA it must be installed in the trusted root certification authorities container (Root CA).By default, the client will try to use the certificate's AIA path unless the issuer's certificate is published to the client's intermediate certification authorities (Sub CA) store.Windows and Active Directory provide a number of ways to publish these certificates which will be discussed below.Validity of a certificate chain is confirmed by retrieving the issuer's certificate (by default from the certificate's AIA path) and comparing the issuing certificate's subject key identifier (SKI) entry with the issued certificate's AKI entry.As discussed in part 2 of this series, the SKI is populated with one of three values: the serial number of the certificate, a unique ID assigned by the signing CA, or any manner of identification listed as part of the General Name data type.

Leave a Reply