This section describes how to use various windows displayed at different times by Certificate Manager. The additional information given here appears when you click the Help button in one of those windows.
The Certificate Viewer displays information about a certificate you selected in one of the Certificate Manager tabs. The General tab summarizes information about who issued the certificate, its verification status, what the certificate can be used for, and so on. The Details tab provides complete details on the certificate's contents.
If you are not currently viewing the Certificate Viewer, follow these steps:
When you first open the Certificate Viewer, the General tab displays several kinds of information about the selected certificate:
Issued To; see above) about the certificate authority (CA) that issued the certificate.
Click the Details tab at the top of the Certificate Viewer to see more detailed information about the selected certificate. To examine information for any certificate in the Certificate Hierarchy area, select its name, select the field under Certificate Fields that you want to examine, and read the field's value under Field Value:
The Certificate Viewer displays basic ANSI types in human-readable form wherever possible. For fields whose contents the Certificate Manager cannot interpret, it displays the actual values contained in the certificate.
A security device (sometimes called a token) is a hardware or software device that provides cryptographic services such as encryption and decryption and stores certificates and keys. The Choose Security Device window appears when Certificate Manager needs help deciding which security device to use when importing a certificate or performing a cryptographic operation, such as generating keys for a new certificate. This window allows you to select one of two or more security devices that Certificate Manager has detected on your machine.
A smart card is one example of a security device. For example, if a smart card reader connected to your computer has a smart card inserted in it, the name of the smart card will show up in the drop-down menu. In this case, you must choose the name of the smart card from the menu to let Certificate Manager know that you want to use it.
The Certificate Manager also supplies its own default, built-in security device, which can always be used no matter what additional devices are or aren't available.
Certificate authorities (CAs) that issue separate signing and encryption email certificates typically make backup copies of your private encryption key during the certificate enrollment process.
The Encryption Key Copy dialog box allows you to approve the creation of such a backup or cancel the certificate request. A CA that has archived a backup copy of your encryption key has the potential capability of decrypting any messages you receive that were encrypted with your corresponding public key.
You can take these actions from the Encryption Key Copy dialog box:
If you are not sure whether to trust the CA that is requesting the backup copy, talk to your system administrator.
After your CA makes a backup copy of the encryption key, you will be able to use that key to access your encrypted mail even if you lose your password or lose your own copy of the key. If no backup copy of your encryption key exists and you lose your password or the key, you will have no way of reading email messages that were encrypted with that key.
When you receive a certificate, make a backup copy of the certificate and its private key, then store the copy in a safe place. For example, you can put the copy on a floppy disk and store it with other valuable items under lock and key. That way, even if you have hard disk or file corruption problems, you can easily restore the certificate.
It can be inconvenient, at best, and in some situations catastrophic to lose your certificate and its associated private key, depending on what you use it for. For example:
Like any other valuable data, certificates should be backed up to avoid future trouble and expense. Do it now so you don't forget.
Some websites require that you identify yourself with a certificate rather than a name and password, because certificates provide a more reliable form of identification. This method of identifying yourself over the Internet is sometimes called client authentication.
However, Certificate Manager may have more than one certificate on file that can be used for the purposes of identifying yourself to a website. In this case, Certificate Manager presents the User Identification Request dialog box, which displays two kinds of information:
This site has requested that you identify yourself with a certificate: This section of the dialog box lists the following information:
Choose a certificate to present as identification: The certificates you have available for the purposes of identifying yourself to a website are listed in the drop-down list in this section of the dialog box. Choose the certificate that seems most likely to be recognized by the website you want to visit.
To help you decide, the following details of the selected certificate are displayed:
The certificates that the Certificate Manager has on file, whether stored on your computer or on an external security device such as a smart card, include certificates that identify certificate authorities (CAs). To be able to recognize any other certificates it has on file, Certificate Manager must have certificates for the CAs that issued or authorized issuance of those certificates.
When you decide to trust a CA, Certificate Manager downloads that CA's certificate and can then recognize the kinds of certificates you trust that CA to issue.
Before downloading a new CA certificate, Certificate Manager allows you to specify the purposes for which you trust the certificate, if at all. You can select any of the following options:
Before you decide to trust a new CA, make sure that you know who is operating it. Make sure the CA's policies and procedures are appropriate for the kinds of certificates it issues. For example, if the CA issues certificates identifying websites you use for financial transactions, make sure you are comfortable with the level of assurance the CA provides.
When you attempt to go to a website that supports the use of SSL for authentication and encryption, you may be faced with an error page. There are two types, one called Secure Connection Failed and one called Untrusted Connection.
In the case where you have disabled the SSL protocol (e.g. through SSL/TLS Settings) or the website that you are accessing is using an older, insecure version of the SSL protocol then you will be presented with a page titled "Secure Connection Failed". That page contains some basic background information (including the Error code that uniquely identifies the type of problem &brandShortName; detected with the website) and a Try Again button that triggers a page reload.
If SSL itself is enabled then the error page that you will be presented with will be titled "This Connection is Untrusted". There are many different reasons why a connection can appear untrusted. Here are some of the most common ones:
The page displayed in the above cases is meant to help you understand why &brandShortName; was unable to establish a secure connection to the website. It starts by telling you that the website's identity could not be verified, then offers you to leave the page by clicking the This sounds bad, take me to my home page instead button. If you are unsure what to do it is recommended that you follow this advice.
If you want to know a little bit more about the actual problem at hand you may expand the corresponding section by clicking the chevron in front of Technical Details. That section also contains the Error code that uniquely identifies the type of problem &brandShortName; detected with the website.
The I Understand the Risks section of the Untrusted Connection page allows you to tell &brandShortName; to explicitly override the security checks for this website by adding an exception. If you expand the section by clicking the chevron in front of it you will see an Add Exception button that will take you to a dialog allowing you to get and view the website's certificate and optionally add a Security Exception for it (either permanently or just for the current session). Those exceptions can be administered through the Certificate Manager's Servers tab.
In cases where &brandShortName; cannot determine the actual cause of the problem a dialog titled "Secure Connection Failed" is shown in addition to the Untrusted Connection page. That dialog includes a View Certificate button that allows you to examine the website's certificate more closely.
Like a credit card, a driver's license, and many other forms of identification, a certificate is valid for a specified period of time. When a certificate expires, the owner of the certificate needs to get a new one.
&brandShortName; warns you when you attempt to visit a website whose server certificate has expired. The first thing you should do is make sure the time and date displayed by your computer is correct. If your computer's clock is set to a date that is after the expiration date, &brandShortName; treats the website's certificate as expired.
If your computer's clock is set correctly, you need to make a decision about whether to trust the website. This decision depends on what you intend to do at the website and what else you know about it. Most commercial sites will make sure that they replace their certificates before they expire. If you choose to continue you need to add a security exception.
Like a credit card, a driver's license, and many other forms of identification, a certificate is valid for a specified period of time.
&brandShortName; warns you when you attempt to visit a website whose server certificate's validity period has not yet started. The first thing you should do is make sure the time and date displayed by your own computer is correct. If your computer's clock is set to the wrong date, &brandShortName; may treat the server certificate as not yet valid even if this is not the case.
If your computer's clock is set correctly, you need to make a decision about whether to trust the website. This decision depends on what you intend to do at the website and what else you know about it. Most commercial sites will make sure that the validity period for their certificates has begun before beginning to use them. If you choose to continue you need to add a security exception.
A server certificate specifies the name of the server in the form of the website's domain name. For example, the domain name for the Mozilla website is www.mozilla.org. If the domain name in a server's certificate doesn't match the actual domain name of the website, it may be a sign that someone is attempting to intercept your communication with the website.
&brandShortName; warns you when you attempt to visit a website whose server certificate's domain does not match the domain of the website you are trying to visit. The decision whether to trust the website anyway depends on what you intend to do at the site and what else you know about it. Most commercial sites will make sure that the host name for a website certificate matches the website's actual host name. If you choose to continue you need to add a security exception.
If you decide to accept the certificate anyway (either for this session or permanently), you should be cautious about what you do on the website, and you should treat any information you find there as potentially suspect.