summaryrefslogtreecommitdiffstats
path: root/l10n-ro/suite/chrome/common/help/using_certs_help.xhtml
blob: 235349d2a97bb88c8ef06b53f59d3307aaa6768e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
<?xml version="1.0" encoding="utf-8"?>
<!-- This Source Code Form is subject to the terms of the Mozilla Public
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
  "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"[
  <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
  %brandDTD;
]>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Using Certificates</title>
<link rel="stylesheet" href="helpFileLayout.css"
  type="text/css"/>
</head>
<body>

<h1 id="using_certificates">Using Certificates</h1>

<p>A certificate is the digital equivalent of an ID card. Just as you may have
  several ID cards for different purposes, such as a driver&apos;s license, an
  employee ID card, or a credit card, you can have several different
  certificates that identify you for different purposes.</p>

<p>This section describes how to perform operations related to
  certificates.</p>

<div class="contentsBox">In this section:
  <ul>
    <li><a href="#getting_your_own_certificate">Getting Your Own
      Certificate</a></li>
    <li><a href="#checking_security_for_a_web_page">Checking Security for a Web
      Page</a></li>
    <li><a href="#managing_certificates">Managing Certificates</a></li>
    <li><a href="#managing_smart_cards_and_other_security_devices">Managing
      Smart Cards and Other Security Devices</a></li>
    <li><a href="#managing_ssl_warnings_and_settings">Managing SSL Warnings and
      Settings</a></li>
    <li><a href="#controlling_validation">Controlling Validation</a></li>
  </ul>
</div>

<h1 id="getting_your_own_certificate">Getting Your Own Certificate</h1>

<p>Much like a credit card or a driver&apos;s license, a certificate is a form
  of identification you can use to identify yourself over the Internet and
  other networks. Like other commonly used personal IDs, a certificate is
  typically issued by an organization with recognized authority to issue such
  identification. An organization that issues certificates is called a
  <strong>certificate authority (CA)</strong>.</p>

<p>You can obtain certificates that identify you from public CAs, from system
  administrators or special CAs within your organization, or from websites
  offering specialized services that require a means of identification more
  reliable that your name and password.</p>

<p>Just as the requirements for a driver&apos;s license vary depending on the
  type of vehicle you want to drive, the requirements for obtaining a
  certificate vary depending on what you want to use it for. In some cases
  getting a certificate may be as easy as going to a website, entering some
  personal information, and automatically downloading the certificate into your
  browser. In other cases you may have to go through more complicated
  procedures.</p>

<p>You can obtain a certificate today by visiting the URL for a certificate
  authority and following the on-screen instructions. For a list of certificate
  authorities issuing certificates recognized by &brandShortName;, see the
  online document
  <a href="http://www.mozilla.org/projects/security/certs/included/">Included
  Certificate List</a>.</p>

<p>Once you obtain a certificate, it is automatically stored in a
  <a href="glossary.xhtml#security_device">security device</a>. Your browser
  comes with its own built-in Software Security Device. A security device can
  also be a piece of hardware, such as a smart card.</p>

<p>Like a driver&apos;s license or a credit card, a certificate is a valuable
  form of identification that can be abused if it falls into the wrong hands.
  Once you&apos;ve obtained a certificate that identifies you, you should
  protect it in two ways: by backing it up and by setting your
  <a href="glossary.xhtml#master_password">master password</a>.</p>

<p>When you first obtain a certificate, you may be prompted to back it up. If
  you haven&apos;t yet created a master password, you will be asked to create
  one.</p>

<p>For detailed information about backing up a certificate and setting your
  master password, see <a href="certs_help.xhtml#your_certificates">Your
  Certificates</a>.</p>

<p>[<a href="#using_certificates">Return to beginning of section</a>]</p>

<h1 id="checking_security_for_a_web_page">Checking Security for a Web Page</h1>

<p>When you&apos;re viewing any web page, the lock icon near the lower-right
  corner of the window informs you whether the entire contents of the page was
  protected by <a href="glossary.xhtml#encryption">encryption</a> while it was
  being received by your computer:</p>

<table summary="lock icons">
  <tr>
    <td><img alt="closed lock icon"
      src="chrome://communicator/skin/icons/lock-secure.png"/></td>
    <td>A closed lock means that the page was protected by encryption when it
      was received.</td>
  </tr>
  <tr>
    <td><img alt="open lock icon"
      src="chrome://communicator/skin/icons/lock-insecure.png"/></td>
    <td>An open lock means the page was not protected by encryption when it was
      received.</td>
  </tr>
  <tr>
    <td><img alt="broken lock icon"
      src="chrome://communicator/skin/icons/lock-broken.png"/></td>
    <td>A broken lock means that some or all of the elements within the page
      were not protected by encryption when the page was received, even though
      the outermost HTML page was encrypted.</td>
  </tr>
</table>

<p>For more details about the encryption status of the page when it was
  received, click the lock icon (or open the View menu, choose Page Info, and
  click the Security tab).</p>

<p>The Security tab for Page Info provides two kinds of information:</p>

<ul>
  <li>The top half describes whether the website displaying the page has been
    verified. (For information on certificate verification, see
    <a href="#controlling_validation">Controlling Validation</a>.)</li>
  <li>The bottom half describes whether the contents of the page you are
    viewing is protected by encryption while in transit over the network.</li>
</ul>

<p><strong>Important</strong>: The lock icon describes only the encryption
  status of the page while it was being received by your computer. To be
  notified before you send or receive information without encryption, select
  the appropriate SSL warning options. See <a href="ssl_help.xhtml">Privacy
  &amp; Security Preferences - SSL</a> for details.</p>

<p>[<a href="#using_certificates">Return to beginning of section</a>]</p>

<h1 id="managing_certificates">Managing Certificates</h1>

<p>You can use the Certificate Manager to manage the certificates you have
  available. Certificates may be stored on your computer&apos;s hard disk or on
  <a href="glossary.xhtml#smart_card">smart cards</a> or other security devices
  attached to your computer.</p>

<p>To open the Certificate Manager:</p>

<ol>
  <li>Open the <span class="mac">&brandShortName;</span>
    <span class="noMac">Edit</span> menu and choose Preferences.</li>
  <li>Under the Privacy &amp; Security category, click Certificates. (If no
    subcategories are visible, double-click Privacy &amp; Security to expand
    the list.)</li>
  <li>In the Manage Certificates section, click Manage Certificates. You see
    the Certificate Manager.</li>
</ol>

<div class="contentsBox">In this section:
  <ul>
    <li><a href="#managing_certificates_that_identify_you">Managing
      Certificates that Identify You</a></li>
    <li><a href="#managing_certificates_that_identify_people">Managing
      Certificates that Identify People</a></li>
    <li><a href="#managing_certificates_that_identify_servers">Managing
      Certificates that Identify Servers</a></li>
    <li><a href="#managing_certificates_that_identify_certificate_authorities">Managing
      Certificates that Identify Certificate Authorities</a></li>
    <li><a href="#managing_certificates_that_identify_others">Managing
      Certificates that Identify Others</a></li>
  </ul>
</div>

<h2 id="managing_certificates_that_identify_you">Managing Certificates that
  Identify You</h2>

<p>When you first open the Certificate Manager, you&apos;ll notice that it has
  several tabs across the top of its window. The first tab is called Your
  Certificates, and it displays the certificates your browser or mail client
  has available that identify you. Your certificates are listed under the names
  of the organizations that issued them.</p>

<p>To perform an action on one or more certificates, click the entry for the
  certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
  to select more than one), then click one of the buttons at the bottom of the
  Certificate Manager window. Each of these buttons brings up another window
  that allows you to perform the action. Click the Help button in any window to
  obtain more information about using that window.</p>

<p>For more details on how to view and manage these certificates, see
  <a href="certs_help.xhtml#your_certificates">Your Certificates</a>.</p>

<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>

<h2 id="managing_certificates_that_identify_people">Managing Certificates that
  Identify People</h2>

<p>When you compose a mail message, you can choose to attach your digital
  signature to it. A <a href="glossary.xhtml#digital_signature">digital
  signature</a> allows recipients of the message to verify that the message
  really comes from you and hasn&apos;t been tampered with since you sent
  it.</p>

<p>Every time you send a digitally signed message, your encryption certificate
  is automatically included with the message. This certificate allows the
  message recipients to send you encrypted messages.</p>

<p>One of the easiest ways to obtain someone else&apos;s encryption certificate
  is for that person to send you a digitally signed message. Certificate
  Manager automatically stores other people&apos;s certificates whenever they
  are received in this way.</p>

<p>To view all the certificates identifying other people that are available to
  the Certificate Manager, click the People tab at the top of the
  Certificate Manager window. You can send encrypted messages to anyone for
  whom a valid certificate is listed. Certificates are listed under the names
  of the organizations that issued them.</p>

<p>To perform an action on one or more certificates, click the entry for the
  certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
  to select more than one), then click one of the buttons at the bottom of the
  Certificate Manager window. Each of these buttons brings up another window
  that allows you to perform the action. Click the Help button in any window to
  obtain more information about using that window.</p>

<p>For more details on how to view and manage these certificates, see the
  description of the Certificate Manager&apos;s
  <a href="certs_help.xhtml#people">People</a> tab.</p>

<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>

<h2 id="managing_certificates_that_identify_servers">Managing Certificates
  that Identify Servers</h2>

<p>Some websites and mail servers use certificates to identify themselves.
  Such identification is required before the server can encrypt information
  transferred between it and your computer (or vice versa), so that no one
  can read the data while in transit.</p>

<p>If the URL for a website begins with <tt>https://</tt>, the website has a
  certificate. If you visit such a website and its certificate was issued by a
  CA that the Certificate Manager doesn&apos;t know about or doesn&apos;t
  trust, you will be asked whether you want to accept the website&apos;s
  certificate. When you accept a new website certificate, the Certificate
  Manager adds it to its list of website certificates.</p>

<p>To view all the website certificates available to your browser, click the
  Servers tab at the top of the Certificate Manager window.</p>

<p>To perform an action on one or more certificates, click the entry for the
  certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
  to select more than one), then click one of the buttons at the bottom of the
  Certificate Manager window. Each of these buttons brings up another window
  that allows you to perform the action. Click the Help button in any window to
  obtain more information about using that window.</p>

<p>For more details on how to view and manage these certificates, see the
  description of the Certificate Manager&apos;s
  <a href="certs_help.xhtml#servers">Servers</a> tab.</p>

<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>

<h2 id="managing_certificates_that_identify_certificate_authorities">Managing
  Certificates that Identify Certificate Authorities</h2>

<p>Like other commonly used forms of ID, a certificate is issued by an
  organization with recognized authority to issue such identification. An
  organization that issues certificates is called a
  <a href="glossary.xhtml#certificate_authority">certificate authority
  (CA)</a>. A certificate that identifies a CA is called a CA certificate.</p>

<p>Certificate Manager typically has many CA certificates on file. These CA
  certificates permit Certificate Manager to recognize and work with
  certificates issued by the corresponding CAs. However, the presence of a CA
  certificate in this list does <em>not</em> guarantee that the certificates it
  issues can be trusted. You or your system administrator must make decisions
  about what kinds of certificates to trust depending on your security
  needs.</p>

<p>To view all the CA certificates available to your browser, click the
  Authorities tab at the top of the Certificate Manager window.</p>

<p>To perform an action on one or more CA certificates, click the entry for the
  certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
  to select more than one), then click one of the buttons at the bottom of the
  Certificate Manager window. Each of these buttons brings up another window
  that allows you to perform the action. Click the Help button in any window to
  obtain more information about using that window.</p>

<p>For more details on how to view and manage these certificates, see the
  description of the Certificate Manager&apos;s
  <a href="certs_help.xhtml#authorities">Authorities</a> tab.</p>

<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>

<h2 id="managing_certificates_that_identify_others">Managing Certificates that
  Identify Others</h2>

<p>To see all certificates that do not fit into any of the other categories,
  click the Others tab at the top of the Certificate Manager window.</p>

<p>For more details on how to view and manage these certificates, see the
  description of the Certificate Manager&apos;s
  <a href="certs_help.xhtml#others">Others</a> tab.</p>

<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>

<h1 id="managing_smart_cards_and_other_security_devices">Managing Smart Cards
  and Other Security Devices</h1>

<p>A smart card is a small device, typically about the size of a credit card,
  that contains a microprocessor and is capable of storing information about
  your identity (such as your <a href="glossary.xhtml#private_key">private
  keys</a> and <a href="glossary.xhtml#certificate">certificates</a>) and
  performing cryptographic operations.</p>

<p>To use a smart card, you typically need to have a smart card reader (a piece
  of hardware) attached to your computer, as well as software on your computer
  that controls the reader.</p>

<p>A smart card is just one kind of security device. A security device
  (sometimes called a token) is a hardware or software device that provides
  cryptographic services and stores information about your identity. Use the
  Device Manager to work with smart cards and other security devices.</p>

<div class="contentsBox">In this section:
  <ul>
    <li><a href="#about_security_devices_and_modules">About Security Devices
      and Modules</a></li>
    <li><a href="#using_security_devices">Using Security Devices</a></li>
    <li><a href="#using_security_modules">Using Security Modules</a></li>
    <li><a href="#enable_fips_mode">Enable FIPS Mode</a></li>
  </ul>
</div>

<h2 id="about_security_devices_and_modules">About Security Devices and
  Modules</h2>

<p>The Device Manager displays a window that lists the available security
  devices. You can use the Device Manager to manage any security devices,
  including smart cards, that support the Public Key Cryptography Standard
  (PKCS) #11.</p>

<p>A <a href="glossary.xhtml#pkcs_11_module">PKCS #11 module</a> (sometimes
  called a security module) controls one or more security devices in much the
  same way that a software driver controls an external device such as a printer
  or modem. If you are installing a smart card, you must install the PKCS #11
  module for the smart card on your computer as well as connecting the smart
  card reader.</p>

<p>By default, the Device Manager controls two internal PKCS #11 modules that
  manage three security devices:</p>

<ul>
  <li><strong>&brandShortName; Internal PKCS #11 Module</strong>: Controls two
    security devices:
    <ul>
      <li><strong>Generic Crypto Services</strong>: A special security device
        that performs all cryptographic operations required by the
        &brandShortName; Internal PKCS #11 Module.</li>
      <li><strong>Software Security Device</strong>: Stores your certificates
        and keys that aren&apos;t stored on external security devices,
        including any CA certificates that you may have installed in addition
        to those that come with the browser.</li>
    </ul>
  </li>
  <li><strong>Builtin Roots Module</strong>: Controls a special security device
    called the Builtin Object Token. This security device stores the default
    <a href="glossary.xhtml#ca_certificate">CA certificates</a> that come with
    the browser.</li>
</ul>

<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
  beginning of section</a>]</p>

<h2 id="using_security_devices">Using Security Devices</h2>

<p>The Device Manager allows you to perform operations on security devices. To
  open the Device Manager, follow these steps:</p>

<ol>
  <li>Open the <span class="mac">&brandShortName;</span>
    <span class="noMac">Edit</span> menu and choose Preferences.</li>
  <li>Under the Privacy &amp; Security category, click Certificates. (If no
    subcategories are visible, double-click Privacy &amp; Security to expand
    the list.)</li>
  <li>In the Certificates panel, click Manage Security Devices.</li>
</ol>

<p>The Device Manager lists each available PKCS #11 module in boldface, and the
  security devices managed by each module below its name.</p>

<p>When you select a security device, information about it appears in the
  middle of the Device Manager window, and some of the buttons on the right
  side of the window become available. For example, if you select the Software
  Security Device, you can perform these actions:</p>

<ul>
  <li>Click Login or Logout to log in or out of the Software Security Device.
    If you are logging in, you will be asked to supply the master password for
    the device. You must be logged into a security device before your browser
    software can use it to provide cryptographic services.</li>
  <li>Click Change Password to change the master password for the device.</li>
</ul>

<p>You can perform these actions on most security devices. However, you cannot
  perform them on the Builtin Object Token or Generic Crypto Services, which
  are special devices that must normally be available at all times.</p>

<p>For more details, see <a href="certs_help.xhtml#device_manager">Device
  Manager</a>.</p>

<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
  beginning of section</a>]</p>

<h2 id="using_security_modules">Using Security Modules</h2>

<p>If you want to use a smart card or other external security device, you must
  first install the module software on your computer and, if necessary, connect
  any associated hardware. Follow the instructions that come with the
  hardware.</p>

<p>After a new module is installed on your computer, follow these steps to load
  it:</p>

<ol>
  <li>Open the <span class="mac">&brandShortName;</span>
    <span class="noMac">Edit</span> menu and choose Preferences.</li>
  <li>Under the Privacy &amp; Security category, click Certificates. (If no
    subcategories are visible, double-click Privacy &amp; Security to expand
    the list.)</li>
  <li>In the Certificates panel, click Manage Security Devices.</li>
  <li>Click Load.</li>
  <li>In the Load PKCS #11 Module dialog box, click the Browse button, locate
    the module file, and click Open.</li>
  <li>Fill in the Module Name field with the name of the module and click
    OK.</li>
</ol>

<p>The new module will then show up in the list of modules with the name you
  assigned to it.</p>

<p>To unload a PKCS #11 module, select its name and click Unload.</p>

<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
  beginning of section</a>]</p>

<h2 id="enable_fips_mode">Enable FIPS Mode</h2>

<p>Federal Information Processing Standards Publications (FIPS PUBS) 140-1 is a
  US government standard for implementations of cryptographic
  modules&mdash;that is, hardware or software that encrypts and decrypts data
  or performs other cryptographic operations (such as creating or verifying
  digital signatures). Many products sold to the US government must comply with
  one or more of the FIPS standards.</p>

<p>To enable FIPS mode for the browser, you use the Device Manager:</p>

<ol>
  <li>Open the <span class="mac">&brandShortName;</span>
    <span class="noMac">Edit</span> menu and choose Preferences.</li>
  <li>Under the Privacy &amp; Security category, click Certificates. (If no
    subcategories are visible, double-click Privacy &amp; Security to expand
    the list.)</li>
  <li>In the Certificates panel, click Manage Devices.</li>
  <li>Click the Enable FIPS button. When FIPS is enabled, the name NSS Internal
    PKCS #11 Module changes to NSS Internal FIPS PKCS #11 Module and the Enable
    FIPS button changes to Disable FIPS.</li>
</ol>

<p>To disable FIPS-mode, click Disable FIPS.</p>

<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
  beginning of section</a>]</p>

<h1 id="managing_ssl_warnings_and_settings">Managing SSL Warnings and
  Settings</h1>

<p>The Secure Sockets Layer (SSL) protocol allows your computer to exchange
  information with other computers on the Internet in encrypted form&mdash;that
  is, the information is scrambled while in transit so that no one else can
  make sense of it. SSL is also used to identify computers on the Internet by
  means of <a href="glossary.xhtml#certificate">certificates</a>.</p>

<p>The Transport Layer Security (TLS) protocol is a new standard based on SSL.
  By default, the browser supports both SSL and TLS. This approach works for
  most people, because it guarantees that the browser will work with virtually
  all other existing software on the Internet that supports any version of SSL
  or TLS.</p>

<p>However, in some circumstances system administrators or other knowledgeable
  persons may wish to adjust the SSL settings to fine-tune them for special
  security needs or to account for bugs in some older software products.</p>

<p>You shouldn&apos;t adjust the SSL settings for your browser unless you know
  what you&apos;re doing or have the assistance of someone else who does. If
  you do need to adjust them for some reason, follow these steps:</p>

<ol>
  <li>Open the <span class="mac">&brandShortName;</span>
    <span class="noMac">Edit</span> menu and choose Preferences.</li>
  <li>Under the Privacy &amp; Security category, select SSL. (If no
    subcategories are visible, double-click Privacy &amp; Security to expand
    the list.)</li>
</ol>

<p>For more details, see <a href="ssl_help.xhtml">SSL Settings</a>.</p>

<p>[<a href="#using_certificates">Return to beginning of section</a>]</p>

<h1 id="controlling_validation">Controlling Validation</h1>

<p>As discussed above under <a href="#getting_your_own_certificate">Get Your
  Own Certificate</a>, a certificate is a form of identification, much like a
  driver&apos;s license, that you can use to identify yourself over the
  Internet and other networks. However, also like a driver&apos;s license, a
  certificate may expire or become invalid for some other reason. Therefore,
  your browser software needs to confirm the validity of any given certificate
  in some way before trusting it for identification purposes.</p>

<p>This section describes how Certificate Manager validates certificates and
  how to control that process. To understand the process, you should have some
  familiarity with <a href="glossary.xhtml#public-key_cryptography">public-key
  cryptography</a>. If you are not familiar with the use of certificates, you
  should check with your system administrator before attempting to change any
  of your browser&apos;s certificate validation settings.</p>

<div class="contentsBox">In this section:
  <ul>
    <li><a href="#how_validation_works">How Validation Works</a></li>
    <li><a href="#managing_crls">Managing CRLs</a></li>
    <li><a href="#configuring_ocsp">Configuring OCSP</a></li>
    <li><a href="validation_help.xhtml">Validation Settings</a></li>
  </ul>
</div>

<h2 id="how_validation_works">How Validation Works</h2>

<p>Whenever you use or view a certificate stored by Certificate Manager, it
  takes several steps to verify the certificate. At a minimum, it confirms that
  the CA&apos;s digital signature on the certificate was created by a CA whose
  own certificate is (1) present in the Certificate Manager&apos;s list of
  available CA certificates and (2) marked as trusted for issuing the kind of
  certificate being verified.</p>

<p>If the CA certificate is not itself present, the
  <a href="glossary.xhtml#certificate_chain">certificate chain</a> for the CA
  certificate must include a higher-level CA certificate that is present and
  correctly trusted. Certificate Manager also confirms that the certificate
  being verified is currently marked as trusted in the certificate store. If
  any one of these checks fails, Certificate Manager marks the certificate as
  unverified and won&apos;t recognize the identity it certifies.</p>

<p>A certificate can pass all these tests and still be compromised in some way;
  for example, the certificate may be revoked because an unauthorized person
  has gained access to the certificate&apos;s private key. A compromised
  certificate can allow an unauthorized person (or website) to pretend to be
  the certificate owner.</p>

<p>One way to combat this threat is for Certificate Manager to check a
  certificate revocation list (CRL) as part of the verification process (see
  <a href="#managing_crls">Managing CRLs</a>, below). Typically, you download a
  CRL to your browser by clicking a link. If a CRL is present, Certificate
  Manager checks any certificate issued by the same CA against the list as part
  of the verification process.</p>

<p>The reliability of CRLs depends on the frequency with which they are both
  updated by a server and checked by a client. You can configure your
  <a href="validation_help.xhtml#automatic_crl_update_preferences">Automatic
  CRL Update Preferences</a> so that a CRL will be updated automatically at
  regular intervals with the version currently on the server.</p>

<p>Another way to combat the threat of compromised certificates is to use a
  special server that supports the Online Certificate Status Protocol (OCSP).
  Such a server can answer client queries about individual certificates (see
  <a href="#configuring_ocsp">Configuring OCSP</a>, below).</p>

<p>The server, called an OCSP responder, receives an updated CRL periodically
  from the CA that issues the certificates to be verified. You can configure
  Certificate Manager to submit a status request for a certificate to the OCSP
  responder, and the OCSP responder confirms whether the certificate is
  valid.</p>

<p>[<a href="#controlling_validation">Return to beginning of section</a>]</p>

<h2 id="managing_crls">Managing CRLs</h2>

<p>A certificate revocation list (CRL) is a list of revoked certificates. A
  <a href="glossary.xhtml#certificate_authority">certificate authority (CA)</a>
  might revoke a certificate, for example, if it has been compromised in some
  way&mdash;much the way a credit card company might revoke your credit card if
  you report that it&apos;s been stolen.</p>

<p>This section describes how to import and manage CRLs.</p>

<p>For background information, see
  <a href="#how_validation_works">How Validation Works</a>.</p>

<p>For detailed descriptions of CRL settings that you can control, see
  <a href="validation_help.xhtml">Validation Settings</a>.</p>

<div class="contentsBox">In this section:
  <ul>
    <li><a href="#about_the_next_update_date">About the <q>Next Update</q>
      Date</a></li>
    <li><a href="#importing_crls">Importing CRLs</a></li>
    <li><a href="#viewing_and_managing_crls">Viewing and Managing CRLs</a></li>
  </ul>
</div>

<h3 id="about_the_next_update_date">About the <q>Next Update</q> Date</h3>

<p>The browser uses the CRLs it has available to check the validity of
  certificates issued by the corresponding CAs. If a certificate is listed as
  revoked, the browser won&apos;t accept it as evidence of identity.</p>

<p>A CA typically publishes an updated CRL at regular intervals. Every CRL
  includes a date, specified in the Next Update field, by which the CA will
  publish the next update of that CRL. In general, if the date in the Next
  Update field is earlier than the current date, you should obtain the most
  recent version of the CRL. To view CRL information and set up automatic CRL
  updating, see <a href="#viewing_and_managing_crls">Viewing and Managing
  CRLs</a>.</p>

<p>CAs are required to produce a new CRL by the Next Update date. However, the
  absence of the most recent CRL does not by itself invalidate a certificate.
  For this reason, if the most recent CRL is not available, a certificate may
  be validated even though the most recent CRL shows it as expired. Automatic
  CRL updating can help to avoid this situation.</p>

<h3 id="importing_crls">Importing CRLs</h3>

<p>You can import the latest CRL from a CA into your browser. To import a CRL,
  follow these steps:</p>

<ol>
  <li>Go to the URL specified by the CA or by your system administrator and
    click the link for the CRL that you want to import.
    
    <p>The Import Status dialog box appears.</p>
  </li>
  <li>Confirm that the CRL was imported successfully and that it&apos;s the one
    you wanted. In most cases you should also click Yes, which enables
    automatic updating of the CRL you just imported.</li>
  <li>The next step depends on whether you click Yes or No in the Import Status
    dialog box: 
    <ul>
      <li><strong>Yes</strong>: The Automatic CRL Update Preferences dialog box
        appears. In this case, go on to step 4.</li>
      <li><strong>No</strong>: The Import Status dialog box closes. If you
        change your mind and decide to enable automatic updates after all, see
        <a href="#viewing_and_managing_crls">Viewing and Managing
        CRLs</a>.</li>
    </ul>
  </li>
  <li>Select the option labeled <q>Enable Automatic Update for this
    CRL</q>.</li>
  <li>Decide how you want to schedule the automatic updates:
    <ul>
      <li><strong>Update [__] days before Next Update date</strong>: Select
        this option if you want to base the update frequency on the frequency
        with which the CRL publisher publishes a new version of the CRL.</li>
      <li><strong>Update every [__] days</strong>: Select this option if you
        want to specify an update interval unrelated to the CRL&apos;s Next
        Update date.</li>
    </ul>
  </li>
  <li>Click OK to confirm your choices.</li>
</ol>

<h3 id="viewing_and_managing_crls">Viewing and Managing CRLs</h3>

<p>You can view and manage CRLs available to the browser through the
  browser&apos;s Validation preferences:</p>

<ol>
  <li>Open the <span class="mac">&brandShortName;</span>
    <span class="noMac">Edit</span> menu and choose Preferences.</li>
  <li>Under the Privacy &amp; Security category, click Validation. (If no
    subcategories are visible, double-click Privacy &amp; Security to expand
    the list.)</li>
  <li>Click Manage CRLs in the Validation panel to see a list of the CRLs
    available to Certificate Manager.</li>
</ol>

<p>To delete or update a CRL, select it and click the appropriate button.</p>

<p>To set up automatic updates for a CRL, select the CRL and click Settings.
  The Automatic CRL Update Preferences dialog box appears:</p>

<ol>
  <li>Select the option labeled <q>Enable Automatic Update for this
    CRL</q>.</li>
  <li>Decide how you want to schedule the automatic updates:
    <ul>
      <li><strong>Update [__] days before Next Update date</strong>: Select
        this option if you want to base the update frequency on the frequency
        with which the CRL publisher publishes a new version of the CRL.</li>
      <li><strong>Update every [__] days</strong>: Select this option if you
        want to specify an update interval unrelated to the CRL&apos;s Next
        Update date.</li>
    </ul>
  </li>
  <li>Click OK to confirm your choices.</li>
</ol>

<p>[<a href="#controlling_validation">Return to beginning of section</a>]</p>

<h2 id="configuring_ocsp">Configuring OCSP</h2>

<p>The settings that control OCSP are part of Validation preferences. To view
  Validation preferences, follow these steps:</p>

<ol>
  <li>Open the <span class="mac">&brandShortName;</span>
    <span class="noMac">Edit</span> menu and choose Preferences.</li>
  <li>Under the Privacy &amp; Security category, click Validation. (If no
    subcategories are visible, double-click Privacy &amp; Security to expand
    the list.)</li>
</ol>

<p>For information about the OCSP options available, see
  <a href="validation_help.xhtml#ocsp">OCSP</a>.</p>

<p>[<a href="#controlling_validation">Return to beginning of section</a>]</p>

</body>
</html>