Client certificates are encrypted, digital identifications that contain personal information. Similar to conventional forms of identification, client certificates enable Web servers to authenticate, or confirm, the identity of a user before letting that user log on to a restricted Web site.
You can obtain a client certificate from a mutually trusted, commercial organization, called a certificate authority. Before issuing a certificate, the authority requires you to provide identification information, such as a name, address, and organization name. The extent of this information can vary with the identification assurance requirements of the certificate. If you need a certificate to provide absolute assurance about your identity, then the certificate authority will require substantial information from you; gathering this information may require a personal interview with the authority and the endorsement of a notary.
For a list of certificate authorities, see Obtaining a Server Certificate.
The basic, industry standard client certificate contains several items of information: the identity of the user, the identity of the certificate authority, a key file used for establishing secure communications, and validation information, such as an expiration date and serial number. Certificate authorities offer different types of client certificates, containing differing amounts of information, depending on the level identification assurance required. For example, while a basic client certificate may contain a name, address, and phone number, a certificate with a high level of assurance could contain additional information, such as professional affiliations, a brief business history, or credit information.
Most reputable certificate authorities maintain a Certificate Revocation List (CRL), which is a list of current client certificates revoked before their scheduled expiration dates. For example, if a certificate authority issues a client certificate to a user and later determines that the user submitted false information, the authority can revoke that user's client certificate. However, because the certificate authority cannot physically revoke a client certificate, the authority alerts Web administrators by adding information about the revoked client certificate to a CRL.
Your Windows NT operating system uses Microsoft CryptoAPI 2.0, a security architecture capable of accommodating revocation service providers that check CRLs to determine whether a client certificate has been revoked. For more information about revocation service providers contact your certificate authority.
Ultimately, the success of client certificate authentication depends on whether the server administrator receiving a client certificate trusts the authority who issued the certificate, and that the authority properly verified the user's identity. But beyond this trust, client certificates do not conclusively prove a user's identity and provide little insight about the trustworthiness, or intentions, of the user.
For more information, see Obtaining a Client Certificate.