You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



Certificate Information and Decisions

This section describes how to use various windows displayed at different times by Certificate Manager. The additional information given here appears when you click the Help button in one of those windows.

In this section:

Certificate Details

Choose Security Device

Certificate Backup

User Identification Request

New Certificate Authority

Browser Won't Accept CRL

Web Site Certificates

 

Certificate Details

The Certificate Details window displays information about a certificate you selected in one of the Certificate Manager tabs. For most people, the General tab provides sufficient information. The Details tab provides complete details on the certificate's contents—information normally of interest to IS professionals only.

In this section:

General Tab

Details Tab

 

General Tab

When you first open the Certificate Details window, the General tab displays several kinds of information about the selected certificate:

  • This certificate has been verified for the following uses: See certificate verification for a discussion of how the Certificate Manager verifies certificates. Uses can include any of the following:
    • SSL Client Certificate. Certificate used to identify you to web sites.
    • SSL Server Certificate. Certificate used to identify a web site server to browsers.
    • Email Signer Certificate. Certificate used to identify you for the purposes of digitally signing email messages.
    • Email Recipient Certificate. Certificate used to identify someone else, for example so you can send that person encrypted email.
    • Status Responder Certificate. Certificate used to identify an online status responder that uses the Online Certificate Status Protocol (OCSP) to check the validity of certificates. For more information about OCSP, see Validation Settings.
    • Certificate Authority. Certificate used to identify a certificate authority—that is, a service that issues certificates for use as identification over computer networks.
  • Issued To: Summarizes the following information about the certificate:
    • Common Name. The name of the person or other entity that the certificate identifies.

    • Organization. The name of the organization to which the entity belongs (such as the name of a company).

    • Organizational Unit. The name of the organizational unit to which the entity belongs (such as Accounting Department).

    • Serial Number. The certificate's serial number.
  • Issued By: Summarizes information (similar to that provided under "Issued To"; see above) about the certificate authority (CA) that issued the certificate.
  • Validity: Indicates the period during which the certificate is valid.
  • Fingerprints: Lists the certificate's fingerprints. A fingerprint is a unique number produced by applying a mathematical function to the certificate contents. A certificate's fingerprint can be used to verify that the certificate has not been tampered with.

 

Details Tab

Click the Details tab at the top of the Certificate Details window to see more detailed information about the selected certificate. To examine information for any certificate in the Certificate Hierarchy area, select its name, select the field under Certificate Fields that you want to examine, and read the field's value under Field Value:

  • Certificate Hierarchy. Displays the certificate chain, with the certificate you originally selected at the bottom. A certificate chain is a hierarchical series of certificates signed by successive certificate authorities (CAs). A CA certificate identifies a certificate authority and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA and so on up to a root_CA.
  • Certificate Fields. Displays the fields of the certificate selected under Certificate Hierarchy.
  • Field Value. Displays the value of the field selected under Certificate Fields.

The Certificate Details tab displays basic ANSI types in human-readable form wherever possible. For fields whose contents the Certificate Manager cannot interpret, it displays the actual values contained in the certificate.

 

Choose Security Device

A security device (sometimes called a token) is a hardware or software device that provides cryptographic services such as encryption and decryption and stores certificates and keys. The Choose Security Device window appears when Certificate Manager needs help deciding which security device to use when importing a certificate or performing a cryptographic operation, such as generating keys for a new certificate. This window allows you to select one of two or more security devices that Certificate Manager has detected on your machine.

A smart card is one example of a security device. For example, if a smart card reader connected to your computer has a smart card inserted in it, the name of the smart card will show up in the drop-down menu. In this case, you must choose the name of the smart card from the menu to let Certificate Manager know that you want to use it.

The Certificate Manager also supplies its own default, built-in security device, which can always be used no matter what additional devices are or aren't available.

 

Certificate Backup

When you receive a certificate, make a backup copy of the certificate and its private key, then store the copy in a safe place. For example, you can put the copy on a floppy disk and store it with other valuable items under lock and key. That way, even if you have hard disk or file corruption problems, you can easily restore the certificate.

It can be inconvenient, at best, and in some situations catastrophic to lose your certificate and its associated private key, depending on what you use it for. For example:

  • If you lose a certificate that identifies you to important web sites, you will not be able to access those web sites until you obtain a new certificate.
  • If you lose a certificate used to encrypt email messages, you will not be able to read any of your encrypted email—including both encrypted messages that you have sent and encrypted messages that you have received. In this case, if you cannot obtain a backup of the private encryption key associated with the certificate, you will never be able to read any of the messages encrypted with that key.

Like any other valuable data, certificates should be backed up to avoid future trouble and expense. Do it now so you don't forget.

 

User Identification Request

Some web sites require that you identify yourself with a certificate rather than a name and password, because certificates provide a more reliable form of identification. This method of identifying yourself over the Internet is sometimes called client authentication.

However, Certificate Manager may have more than one certificate on file that can be used for the purposes of identifying yourself to a web site. In this case, Certificate Manager presents the User Identification Request window, which allows you to select the appropriate certificate for the web site you want to visit.

Web sites can also use certificates to identify themselves. The certificate presented by the web site you want to visit is displayed in the top part of this window. The information provided includes the name of the CA that issued the certificate (labeled "Issued Under").

The certificates you have available for the purposes of identifying yourself to a web site are listed in the drop-down menu in the bottom part of the window. Choose the certificate that seems most likely to be recognized by the web site you want to visit.

 

New Certificate Authority

The certificates that the Certificate Manager has on file, whether stored on your computer or on an external security device such as a smart card, include certificates that identify certificate authorities (CAs). To be able to recognize any other certificates it has on file, Certificate Manager must have certificates for the CAs that issued or authorized issuance of those certificates. When you decide to trust a CA, Certificate Manager files that CA's certificate and can then recognize the kinds of certificates you trust that CA to issue.

Before accepting a new CA certificate, Certificate Manager displays a window that allows you to specify how you want to trust the certificate, if at all. You can click View to see the CA certificate, or Policy to see information about the CA's policies.

Before you decide to trust a new CA, make sure that you know who is operating it. Make sure the CA's policies and procedures are appropriate for the kinds of certificates it issues. For example, if the CA issues certificates identifying web sites you use for financial transactions, make sure you are comfortable with the level of assurance the CA provides.

You also need to decide what kinds of certificates issued by this CA you want to trust. You can select any of the following options:

  • Trust this CA to identify web sites. Web site certificates for some sites, such as those that handle financial transactions, can be extremely important, and inappropriate or false identification can have negative consequences.
  • Trust this CA to identify email users. If you intend to send email users confidential information in encrypted form, or if accurate identification of email users is important to you for any other reason, you should consider carefully the CA's procedures for identifying prospective certificate owners and whether they are appropriate for your purposes before selecting this option.
  • Trust this CA to identify software developers. Selecting this option means that you trust the CA to issue certificates that identify the origin of Java applets and JavaScript scripts requesting special access to your computer, such as the ability to change files. Since such access privileges can be misused, for example to destroy data stored on your hard disk, be very careful about selecting this option unless you are certain that you trust the CA for this purpose.

 

Browser Won't Accept CRL

A certificate revocation list (CRL) is list of revoked certificates. The browser uses the CRLs it has available to check the validity of certificates issued by the corresponding certificate authorities (CAs). If a certificate is listed as revoked, the browser won't accept it as evidence of identity.

A CA typically publishes an updated CRL at regular intervals. Every CRL includes a date, specified in the Next Update field, by which the CA will publish the next update of that CRL. If the date in the Next Update field is earlier than the current date, you should obtain the most recent version of the CRL.

Although the absence of the most recent CRL does not by itself invalidate a certificate, the browser can't accept a server certificate unless the corresponding CRL is the most recent available. In some situations, you may want to delete CRLs with Next Update dates earlier than the present. Speak to your system administrator for guidance on CRL management.

For more information on CRLs and instructions for viewing or deleting them, see Managing CRLs.

 

Web Site Certificates

One of the windows listed here may appear when you attempt to go to a web site that supports the use of SSL for authentication and encryption.

In this section:

New Web Site Certificate

Expired Web Site Certificate

Web Site Certificate Not Yet Valid

Unexpected Certificate Name

 

New Web Site Certificate

Many web sites use certificates to identify themselves when you visit the site. If Certificate Manager doesn't recognize the certificate authority (CA) that issued a web site's certificate, it displays an alert that allows you to examine the new web site certificate and decide what to do.

To examine the certificate, click View Certificate.

You can take any of these actions:

  • If you suspect that the web site is not what it claims to be, click Cancel. Certificate Manager will not connect with this web site this time and will display the same window again the next time you visit the web site.

    Canceling might be appropriate, for example, if you perform financial transactions at the web site. In this case you might want to report the problem to the bank or other organization that runs the site and confirm that the site's certificate is valid before you go any further.

  • If you wish to view the web site despite the problem, click Continue and proceed with caution. Certificate Manager will recognize this certificate as legitimate identification for this session only. You'll see the same alert the next time you visit the site.
  • If you're sure that the certificate is valid, select "Remember this certificate permanently" and then click Continue. Certificate Manager will recognize this certificate as legitimate identification until it expires.

Selecting "Remember this certificate permanently" solves the problem for this web site certificate, but you'll see the same alert for any other web site whose certificate was issued by the same CA.

To ensure that the Certificate Manager will trust all certificates issued by a given CA, you must edit the trust settings for the corresponding CA certificate. To do so, follow these steps:

  1. Open the Edit menu and choose Preferences.
  2. Under the Privacy & Security category, click Certificates. (If no subcategories are visible, double-click the category to expand the list.)
  3. Click Manage Certificates.
  4. Click the Authorities tab.
  5. Select the CA certificate whose trust settings you want to edit.
  6. Click the Edit button and select the appropriate trust settings.

For help deciding which trust settings you should select, click the Help button in the Edit dialog box or see Edit CA Certificate Settings.

 

Expired Web Site Certificate

Like a credit card, a driver's license, and many other forms of identification, a certificate is valid for a specified period of time. When a certificate expires, the owner of the certificate needs to get a new one.

Certificate Manager displays the Expired Web Site Certificate window when you attempt to visit a web site whose certificate has expired. As the window explains, the first thing you should do is make sure the time and date displayed by your computer is correct. If your computer's clock is set to a date that is after the expiration date, Certificate Manager treats the web site's certificate as expired.

You can examine information about the certificate, including its validity period, by clicking the View button.

The decision whether to trust the site anyway depends on what you intend to do at the site and what else you know about it. Most commercial sites will make sure that they replace their certificates before they expire.

If you believe the certificate's expiration is an inadvertent error, you may want to accept the certificate anyway for this session and let the webmaster for the site know about the problem.

If you suspect that there may be a more significant problem, either accept the certificate and be cautious about any actions you take while you are visiting the site, or do not accept the certificate (in which case the browser will not connect you to the site).

 

Web Site Certificate Not Yet Valid

Like a credit card, a driver's license, and many other forms of identification, a certificate is valid for a specified period of time.

Certificate Manager displays the Web Site Certificate Not Yet Valid window when you attempt to visit a web site whose certificate's validity period has not yet started. The first thing you should do is make sure the time and date displayed by your own computer is correct. If your computer's clock is set to the wrong date, Certificate Manager may treat the web site's certificate as not yet valid even if this is not the case.

You can examine information about the certificate, including its validity period, by clicking the View button.

The decision whether to trust the site anyway depends on what you intend to do at the site and what else you know about it. Most commercial sites will make sure that the validity period for their certificates has begun before beginning to use them.

If you believe the certificate's expiration is an inadvertent error, you may want to accept the certificate anyway for this session and let the webmaster for the site know about the problem.

If you suspect that there may be a more significant problem, either accept the certificate and be cautious about any actions you take while you are visiting the site, or do not accept the certificate (in which case Certificate Manager will not connect you to the site).

 

Unexpected Certificate Name

A web site certificate specifies the name of the web site in the form of the site's host name. For example, the host name for the Netscape web site is home.netscape.com. If the host name in a web site's certificate doesn't match the actual host name of the web site, it may be a sign that someone is attempting to intercept your communication with the web site.

The decision whether to trust the site anyway depends on what you intend to do at the site and what else you know about it. Most commercial sites will make sure that the host name for a web site certificate matches the web site's actual host name.

If you decide to accept the certificate anyway for this session, you should be cautious about what you do on the web site, and you should treat any information you find there as potentially suspect.


9/06/2001

Copyright © 1994-2001 Netscape Communications Corporation.