The PKI provides validation of certificate-based credentials and ensures that the credentials are not revoked, corrupted, or modified. A certificate extension included in CA certificates that contains a hash of the CA certificate's public key.This hash is placed in the Authority Key Identifier (AKI) extension of all issued certificates to facilitate chain building. Certificate chaining is defined as the trust validation of an x.509 certificate as it is compared to a trust anchor such as a root certificate.A certificate may be issued for one minute, thirty years or even more.Once issued, a certificate becomes valid once its validity time has been reached, and it is considered valid until its expiration date.A certificate extension that contains information useful for verifying the trust status of a certificate.
This extension can contain multiple HTTP, FTP, File or LDAP URLs for the retrieval of the CRL. A method of restricting certificates chaining to a designated CA for limited time periods or usages. In a Windows Server 2003 network, qualified subordination is the preferred method for restricting certificate usage between organizations. A digitally signed list issued by a Certification Authority (CA) that contains a list of certificates issued by the CA that have been revoked.The best way to start a discussion of certificate revocation and status checking is to look at how an end user sees the effects of certificate revocation and status checking in the Windows XP and Windows 2000 user interfaces.This section will look at scenarios where a certificate chain is both valid and invalid.There are several types of CRLs: full CRLs (also known as base CRLs), delta CRLs, and CRL Distribution Points (CDPs). Delta CRLs contain only the status of all certificates that have changed status between the issuance the last Base CRL.CRL Distribution Points are used to anchor a well-known location for Base, Delta, and even partitioned CRLs..The scope and audience of this White paper is to assist organizational system architects and administrators in understanding how certificate chaining and revocation work in Windows 2000 and Windows XP to allow the administrators to troubleshoot problems related to certificate chaining and revocation.For an introduction to PKI and Certificate Services, please refer to following terms are used in this white paper: Authority Information Access (AIA).However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity period.Such circumstances include change of name, change of association between subject and CA (for example, when an employee terminates employment with an organization), and compromise or suspected compromise of the corresponding private key.The listing includes the serial number of the certificate, the date that the certificate was revoked, and the revocation reason.Applications can perform CRL checking to determine a presented certificate's revocation status. A protocol that allows real-time validation of a certificate's status by having the Crypto API make a call to an OCSP responder and the OCSP responder providing an immediate validation of the revocation status for the presented certificate.