A Certificate is, at its heart, a document that certifies something, usually an accomplishment or status. In the context of Windows Server 2003 encryption, it becomes a document that certifies that the holder is who and what they claim to be. The holder, of course, is the computer or user account.

In the real world, authentic certificates don’t just spring into existence ex nihilo. The issuer of the certificate is just as important, if not more so, as the holder, because true authenticity is based upon the integrity and respect that is demanded by and given to the issuer. This principle is apparently universal: drivers licenses are regarded as authentic certificates of identification, as much as diplomas and board certifications are regarded as authentic certifications required by a practicing physician. As we all know, it’s possible to create forged certificates in real life, but by automating the procedure and creating a list of standards, the likelihood of forged or incorrect certificates is reduced significantly. Some of these standards are obvious facsimiles of important certificates in the real world. While a physician may have a certificate such as a diploma that never expires, they must have another board certificate that enables them to practice medicine. These board certificates expire, and require a renewal in order to further certify appropriate medical techniques, as well as new advances in the technologies of medicine. The same certification updates are required with drivers licenses in order to accommodate changes in traffic law as well as updates for the person to whom the license applies.

Traditionally, Microsoft and Netware required that certifications be similarly updated in order to maintain the certification itself. This is a good tactic for the vendor, because it essentially promotes a captive audience and customer base for their newer products, by literally dragging their certification-holders along for the ride. It’s also seen as not such a good idea because despite the changes in technology, the certification may not yield the financial gain expected to at least balance the amount of effort, time, and money invested in the process. CompTIA certifications are traditionally life-long, as well as several other lesser-known certification providers. Microsoft has taken a first step in this direction by essentially providing different certifications for the different product lines they provide. This was first done with the Windows NT MCSE/MCP certifications in late 2001, allowing certification holders in the Windows NT track to maintain their credentials, while simultaneously providing the option to pursue Windows 2000 MCSE/MCP credentials.

In the case of Windows Server 2003, the certificate authority is, well, the Certificate Authority. The Certificate Authority issues certificates to users and computers based upon the previous method of public and private keys, and replacing things such as the private key password with the standard locally-or-domain-authenticated password. The Certificate Authority gains its true authority by using a set of rules and procedures that allow it to basically guarantee and authorize that the certificates it issues are authentic and that the contents of those certificates is valid, complete, true, and up-to-date.
A certificate, once issued, doesn’t actually do anything. Its importance lies in what it represents: an authority’s trust. The bearer of that certificate can then show it to any other user or computer, and gain the same level of trust without the direct intervention of the authority, in just the same way that a police officer has a badge that certifies his authority to you, without requiring the mayor, governor, or president be present to make the introduction personally. In this manner, two computers that possess certificates from the same Certificate Authority can reasonably assume that they are who they are. It’s the same idea as the old proverb ‘my friend’s friend, is my friend too.’

Certificates were originally designed to replace standard authentication methods like kerberos. Within Windows Server 2003 they have been fine-tuned as a secure vehicle for internet communications. In order to better understand how the vehicle runs, it’s best to once more use an example. A large corporation has established an extranet. An extranet is usually a ’secure website’ that contains sensitive information and is restricted to a particular group of people. The idea is that a user obtains a certificate from a central Certificate Authority. The web server(s) that contain the extranet content also has a certificate from the same Certificate Authority. When the same user attempts to communicate with the web server, communications are allowed because each player has the appropriate credentials in the form of their respective certificates. Neither the web server nor the user must maintain a lengthy list of usernames and passwords, and neither is required to double-check authenticity with any other authority. The physical location of the user or the web server are no problem either because of the autonomy and independence that is allowed by the certificate concept.