In Diffie-Hellman and DSS key exchanges, a brand new cipher key is created for each session. This makes sense in applications like IPSec where a secure network communication link is established pretty much on an ad hoc basis. But what if you want to retain the key for later use, such as digital signatures? You need a way to transport the key securely and, just as importantly, you want to make sure that the key comes from an authorized issuer and has not been tampered with along the way.

The data structure used to transport and validate keys is called a certificate. A certificate acts as a strongbox that protects the key while guaranteeing the identity of the issuer, the identity of the owner, and the purposes for which the key can ...

Get Inside Windows® Server 2003 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.