1
<?xml version="1.0" encoding="UTF-8"?>
3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" [
4
<!ENTITY % brandDTD SYSTEM "chrome://global/locale/brand.dtd" >
8
<html xmlns="http://www.w3.org/1999/xhtml">
10
<title>Certificate Information and Decisions</title>
11
<link rel="stylesheet" type="text/css" href="chrome://help/locale/helpFileLayout.css"/>
15
<div class="boilerplate">This document is provided by &brandShortName; for your information only.
16
It may help you take certain steps to protect the privacy and security of your personal
17
information on the Internet. This document does not, however, address all online privacy
18
and security issues, nor does it represent a recommendation by &brandShortName; about what
19
constitutes adequate privacy and security protection on the Internet.</div>
21
<h1 id="certificate_information_and_decisions">Certificate Information and Decisions</h1>
22
<p>This section describes how to use various windows displayed at different times by
23
Certificate Manager. The additional information given here appears when you click
24
the Help button in one of those windows.</p>
26
<div class="contentsBox">In this section:
28
<li><a href="#certificate_viewer">Certificate Viewer</a></li>
29
<li><a href="#choose_security_device">Choose Security Device</a></li>
30
<li><a href="#certificate_backup">Certificate Backup</a></li>
31
<li><a href="#user_identification_request">User Identification Request</a></li>
32
<li><a href="#new_certificate_authority">New Certificate Authority</a></li>
33
<li><a href="#web_site_certificates">Web Site Certificates</a></li>
37
<h2 id="certificate_viewer">Certificate Viewer</h2>
40
<p>The Certificate Viewer displays information about a certificate you selected in
41
one of the Certificate Manager tabs. The General tab summarizes information about
42
who issued the certificate, its verification status, what the certificate can be
43
used for, and so on. The Details tab provides complete details on the certificate's
46
<p>If you are not currently viewing the Certificate Viewer, follow these steps:</p>
49
<li>Open the Edit menu (&brandShortName; menu on Mac OS X) and choose Preferences.</li>
50
<li>Under the Privacy & Security category, click Certificates. (If no
51
subcategories are visible, double-click Privacy & Security to expand the list.)</li>
52
<li>Click Manage Certificates.</li>
53
<li>Click the tab for the type of certificate whose details you want to view.</li>
54
<li>Select the certificate whose details you want to view.</li>
59
<div class="contentsBox">In this section:
61
<li><a href="#general_tab">General Tab</a></li>
62
<li><a href="#details_tab">Details Tab</a></li>
66
<h3 id="general_tab">General Tab</h3>
68
<p>When you first open the Certificate Viewer, the General tab displays several kinds
69
of information about the selected certificate:</p>
72
<li><strong>This certificate has been verified for the following uses:</strong>
73
See <a href="glossary.html#certificate_verification">certificate verification</a>
74
for a discussion of how the Certificate Manager verifies certificates. Uses can
75
include any of the following:
77
<li><strong>SSL Client Certificate:</strong> Certificate used to identify you
79
<li><strong>SSL Server Certificate:</strong> Certificate used to identify a
80
web site server to browsers.</li>
81
<li><strong>Email Signer Certificate:</strong> Certificate used to identify you
82
for the purposes of digitally signing email messages.</li>
83
<li><strong>Email Recipient Certificate:</strong> Certificate used to identify
84
someone else, for example so you can send that person encrypted email.</li>
85
<li><strong>Status Responder Certificate:</strong> Certificate used to identify
86
an online status responder that uses the Online Certificate Status Protocol
87
(OCSP) to check the validity of certificates. For more information about
88
OCSP, see <a href="validation_help.html">Validation Settings</a>.</li>
89
<li><strong>SSL Certificate Authority:</strong> Certificate used to identify
90
a certificate authority—that is, a service that issues certificates for
91
use as identification over computer networks.</li>
94
<li><strong>Issued To:</strong> Summarizes the following information about the
97
<li><strong>Common Name:</strong> The name of the person or other entity that
98
the certificate identifies.</li>
99
<li><strong>Organization:</strong> The name of the organization to which the
100
entity belongs (such as the name of a company).</li>
101
<li><strong>Organizational Unit:</strong> The name of the organizational unit
102
to which the entity belongs (such as Accounting Department).</li>
103
<li><strong>Serial Number:</strong> The certificate's serial number.</li>
106
<li><strong>Issued By:</strong> Summarizes information (similar to that provided
107
under "Issued To"; see above) about the certificate authority (CA)
108
that issued the certificate.</li>
109
<li><strong>Validity:</strong> Indicates the period during which the certificate
111
<li><strong>Fingerprints:</strong> Lists the certificate's fingerprints. A
112
fingerprint is a unique number produced by applying a mathematical function to
113
the certificate contents. A certificate's fingerprint can be used to verify that
114
the certificate has not been tampered with.</li>
117
<h3 id="details_tab">Details Tab</h3>
119
<p>Click the Details tab at the top of the Certificate Viewer to see more detailed
120
information about the selected certificate. To examine information for any certificate
121
in the Certificate Hierarchy area, select its name, select the field under Certificate
122
Fields that you want to examine, and read the field's value under Field Value:</p>
125
<li><strong>Certificate Hierarchy:</strong> Displays the certificate chain, with the
126
certificate you originally selected at the bottom. A certificate chain is a
127
hierarchical series of certificates signed by successive certificate authorities
128
(CAs). A CA certificate identifies a <a href="glossary.html#certificate_authority">certificate authority</a> and is
129
used to sign certificates issued by that authority. A CA certificate can in turn
130
be signed by the CA certificate of a parent CA and so on up to a <a href="glossary.html#root_CA">root CA</a>.</li>
131
<li><strong>Certificate Fields:</strong> Displays the fields of the certificate
132
selected under Certificate Hierarchy.</li>
133
<li><strong>Field Value:</strong> Displays the value of the field selected under
134
Certificate Fields.</li>
137
<p>The Certificate Viewer displays basic ANSI types in human-readable form wherever
138
possible. For fields whose contents the Certificate Manager cannot interpret, it
139
displays the actual values contained in the certificate.</p>
142
<h2 id="choose_security_device">Choose Security Device</h2>
144
<p>A security device (sometimes called a token) is a hardware or software device that
145
provides cryptographic services such as encryption and decryption and stores
146
certificates and keys. The Choose Security Device window appears when Certificate
147
Manager needs help deciding which security device to use when importing a certificate
148
or performing a cryptographic operation, such as generating keys for a new
149
certificate. This window allows you to select one of two or more security devices
150
that Certificate Manager has detected on your machine.</p>
152
<p>A smart card is one example of a security device. For example, if a smart card reader
153
connected to your computer has a smart card inserted in it, the name of the smart card
154
will show up in the drop-down menu. In this case, you must choose the name of the smart
155
card from the menu to let Certificate Manager know that you want to use it.</p>
157
<p>The Certificate Manager also supplies its own default, built-in security device, which
158
can always be used no matter what additional devices are or aren't available.</p>
160
<h2 id="encryption_key_copy">Encryption Key Copy</h2>
162
<p><a href="glossary.html#certificate_authority">Certificate authorities (CAs)</a>
163
that issue separate signing and encryption email certificates typically make backup
164
copies of your private <a href="glossary.html#encryption_key">encryption key</a> during
165
the certificate enrollment process.</p>
167
<p>The Encryption Key Copy dialog box allows you to approve the creation of such a backup
168
or cancel the certificate request. A CA that has archived a backup copy of your
169
encryption key has the potential capability of decrypting any messages you receive that
170
were encrypted with your corresponding public key.</p>
172
<p>You can take these actions from the Encryption Key Copy dialog box:</p>
175
<li><strong>View Certificate:</strong> To view the certificate identifying the CA that
176
is requesting the backup copy, click View Certificate.<br/></li>
177
<li><strong>OK:</strong> If you trust the CA identified by the CA certificate to decrypt
178
encrypted messages that you receive, click OK.<br/><br/>
179
If you are not sure whether to trust the CA that is requesting the backup copy, talk
180
to your system administrator.<br/></li>
181
<li><strong>Cancel:</strong> If you don't trust the CA that is requesting the backup
182
copy, don't request a certificate from it. Click Cancel to stop both the backup
183
procedure and the request for a certificate.</li>
186
<p>After your CA makes a backup copy of the encryption key, you will be able to use that key
187
to access your encrypted mail even if you lose your password or lose your own copy of
188
the key. If no backup copy of your encryption key exists and you lose your password or
189
the key, you will have no way of reading email messages that were encrypted with that key.</p>
191
<h2 id="certificate_backup">Certificate Backup</h2>
193
<p>When you receive a certificate, make a backup copy of the certificate and its private key,
194
then store the copy in a safe place. For example, you can put the copy on a floppy disk and
195
store it with other valuable items under lock and key. That way, even if you have hard disk
196
or file corruption problems, you can easily restore the certificate.</p>
198
<p>It can be inconvenient, at best, and in some situations catastrophic to lose your certificate
199
and its associated private key, depending on what you use it for. For example:</p>
202
<li>If you lose a certificate that identifies you to important web sites, you will not be
203
able to access those web sites until you obtain a new certificate. </li>
204
<li>If you lose a certificate used to encrypt email messages, you will not be able to read
205
any of your encrypted email—including both encrypted messages that you have sent and
206
encrypted messages that you have received. In this case, if you cannot obtain a backup of
207
the private encryption key associated with the certificate, you will never be able to read
208
any of the messages encrypted with that key.</li>
211
<p>Like any other valuable data, certificates should be backed up to avoid future trouble and
212
expense. Do it now so you don't forget.</p>
214
<h2 id="user_identification_request">User Identification Request</h2>
217
<p>Some web sites require that you identify yourself with a certificate rather than a name
218
and password, because certificates provide a more reliable form of identification. This
219
method of identifying yourself over the Internet is sometimes called
220
<a href="glossary.html#client_authentication">client authentication</a>.</p>
222
<p>However, Certificate Manager may have more than one certificate on file that can be used
223
for the purposes of identifying yourself to a web site. In this case, Certificate Manager
224
presents the User Identification Request dialog box, which displays two kinds of
227
<p><strong>This site has requested that you identify yourself with a certificate:</strong>
228
This section of the dialog box lists the following information:</p>
230
<li><strong>Host name:</strong> The name of the server requesting identification,
231
used as part of its URL. For example, the host name for the Netscape web site
232
is <tt>home.netscape.com</tt>.</li>
233
<li><strong>Organization:</strong> The name of the organization that runs the web
235
<li><strong>Issued under:</strong> The name of the
236
<a href="glossary.html#certificate_authority">certificate authority
237
(CA)</a> that issued the certificate.</li>
240
<p><strong>Choose a certificate to present as identification:</strong> The certificates you
241
have available for the purposes of identifying yourself to a web site are listed in the
242
drop-down list in this section of the dialog box. Choose the certificate that seems most
243
likely to be recognized by the web site you want to visit.</p>
245
<p>To help you decide, the following details of the selected certificate are displayed:</p>
247
<li><strong>Issued to:</strong> Lists information about the person identified by the
248
certificate (for example, your name and email address) and the certificate's
249
serial number and validity dates.</li>
250
<li><strong>Issued by:</strong> Summarizes information about the CA that issued the
251
certificate, such as its name, location, and state.</li>
254
<h2 id="new_certificate_authority">New Certificate Authority</h2>
256
<p>The certificates that the Certificate Manager has on file, whether stored on your computer
257
or on an external security device such as a smart card, include certificates that
258
identify <a href="glossary.html#certificate_authority">certificate authorities
259
(CAs)</a>. To be able to recognize any other certificates it has on file, Certificate
260
Manager must have certificates for the CAs that issued or authorized issuance of those
263
<p>When you decide to trust a CA, Certificate Manager downloads that CA's certificate and can
264
then recognize the kinds of certificates you trust that CA to issue.</p>
266
<p>Before downloading a new CA certificate, Certificate Manager allows you to specify the
267
purposes for which you trust the certificate, if at all. You can select any of the
268
following options:</p>
271
<li><strong>Trust this CA to identify web sites: </strong>Web site certificates for some
272
sites, such as those that handle financial transactions, can be extremely important,
273
and inappropriate or false identification can have negative consequences.</li>
274
<li><strong>Trust this CA to identify email users: </strong>If you intend to send email
275
users confidential information in encrypted form, or if accurate identification of
276
email users is important to you for any other reason, you should consider carefully the
277
CA's procedures for identifying prospective certificate owners and whether they are
278
appropriate for your purposes before selecting this option.</li>
279
<li><strong>Trust this CA to identify software developers:</strong> Selecting this option
280
means that you trust the CA to issue certificates that identify the origin of Java
281
applets and JavaScript scripts requesting special access to your computer, such as the
282
ability to change files. Since such access privileges can be misused, for example to
283
destroy data stored on your hard disk, be very careful about selecting this option
284
unless you are certain that you trust the CA for this purpose.</li>
287
<p>Before you decide to trust a new CA, make sure that you know who is operating it. Make
288
sure the CA's policies and procedures are appropriate for the kinds of certificates it
289
issues. For example, if the CA issues certificates identifying web sites you use for
290
financial transactions, make sure you are comfortable with the level of assurance the CA
294
<li><strong>View:</strong> Click this button to view the CA certificate you are about to
295
download. If you decide you don't want to download this certificate, click Cancel.</li>
298
<h2 id="web_site_certificates">Web Site Certificates</h2>
300
<p>One of the windows listed here may appear when you attempt to go to a web site that
301
supports the use of <a href="glossary.html#Secure_Sockets_Layer">SSL</a> for
302
<a href="glossary.html#authentication">authentication</a> and
303
<a href="glossary.html#encryption">encryption</a>.</p>
305
<div class="contentsBox">In this section:
307
<li><a href="#web_site_certified_by_an_unknown_authority">Web Site Certified by an Unknown Authority</a></li>
308
<li><a href="#server_certificate_expired">Server Certificate Expired</a></li>
309
<li><a href="#server_certificate_not_yet_valid">Server Certificate Not Yet Valid</a></li>
310
<li><a href="#domain_name_mismatch">Domain Name Mismatch</a></li>
314
<h3 id="web_site_certified_by_an_unknown_authority">Web Site Certified by an Unknown
318
<p>Many web sites use certificates to identify themselves when you visit the site. If
319
Certificate Manager doesn't recognize the <a href="glossary.html#certificate_authority">
320
certificate authority (CA)</a> that issued a web site's certificate, it displays an alert
321
that allows you to examine the new web site certificate and decide what to do.</p>
324
<li><strong>Examine Certificate:</strong> Click this button to view the web site's
328
<p>You can choose one of these options from this alert:</p>
331
<li><strong>Accept this certificate permanently.</strong> Select this option to accept
332
the certificate (despite the apparent problem) and connect to the web site.
333
Certificate Manager will recognize this certificate as legitimate identification until
334
the certificate expires.</li>
335
<li><strong>Accept this certificate temporarily for this session.</strong> Select this
336
option to accept the certificate temporarily and connect to the web site. Certificate
337
Manager will recognize this certificate as legitimate identification only until the
338
next time you launch the browser. You may see the same alert the next time you attempt
339
to visit the web site.</li>
340
<li><strong>Do not accept this certificate and do not connect to this web site.</strong>
341
Select this option if you decide not to visit the web site at all. This option might be
342
appropriate, for example, if you perform financial transactions at the web site. In
343
this case you might want to report the problem to the bank or other organization that
344
runs the site and confirm that the site's certificate is valid before you go any
348
<p>Click OK to confirm your choice. If you click Cancel, Certificate Manager will not
349
recognize the certificate as legitimate identification and will not connect to the web
352
<p><strong>Important note for server administrators:</strong> This alert may be triggered by
353
a server that is not configured correctly. To find out if this is the case, the server
354
administrator or webmaster for the site you are attempting to visit should check the status
355
of any required intermediate CAs and if necessary, install the missing certificate in the
358
<p>If you decide to contact the web site's webmaster about this issue, you can include the
359
following information:</p>
362
<li>The server administrator can obtain more information about intermediate CAs from here:
364
<a href="http://kb.verisign.com/esupport/esupport/consumer/esupport.asp?id=vs2119" target="_blank">
365
http://kb.verisign.com/esupport/esupport/consumer/esupport.asp?id=vs2119</a><br/></li>
366
<li>If the server is using a VeriSign certificate, the server administrator can download
367
the appropriate certificate from here: <br/><br/>
368
<a href="http://www.verisign.com/support/install/index.html" target="_blank">
369
http://www.verisign.com/support/install/index.html</a></li>
373
<p><strong>For advanced users:</strong> To ensure that Certificate Manager trusts all
374
certificates issued by a given CA, you can edit the trust settings for the corresponding
375
CA certificate. To do so, follow these steps:</p>
378
<li>Open the Edit menu (&brandShortName; menu on Mac OS X) and choose Preferences.</li>
379
<li>Under the Privacy & Security category, click Certificates. (If no subcategories
380
are visible, double-click Privacy & Security to expand the list.)</li>
381
<li>Click Manage Certificates.</li>
382
<li>Click the Authorities tab.</li>
383
<li>Select the CA certificate whose trust settings you want to edit.</li>
384
<li>Click the Edit button and select the appropriate trust settings.</li>
387
<h3 id="server_certificate_expired">Server Certificate Expired</h3>
389
<p>Like a credit card, a driver's license, and many other forms of identification, a
390
<a href="glossary.html#certificate">certificate</a> is valid for a specified period of
391
time. When a certificate expires, the owner of the certificate needs to get a new
394
<p>Certificate Manager warns you when you attempt to visit a web site whose server
395
certificate has expired. The first thing you should do is make sure the time and date
396
displayed by your computer is correct. If your computer's clock is set to a date that is
397
after the expiration date, Certificate Manager treats the web site's certificate as
400
<p>If your computer's clock is set correctly, you need to make a decision about whether to
401
trust the site. This decision depends on what you intend to do at the site and what else
402
you know about it. Most commercial sites will make sure that they replace their
403
certificates before they expire. </p>
405
<p>You can take these actions from the Expired Server Certificate dialog box:</p>
408
<li><strong>View Certificate:</strong> To examine information about the certificate,
409
including its validity period, click View Certificate.<br/></li>
410
<li><strong>OK:</strong> If you have reason to believe the certificate's expiration is an
411
inadvertent error, you may choose to click OK to accept the certificate anyway for this
412
session, and let the webmaster for the site know about the problem.<br/><br/>
413
Be cautious about any actions you take while you are visiting the site.</li>
414
<li><strong>Cancel:</strong> If you suspect that there may be a significant problem and you
415
don't want to risk visiting the site at all, click Cancel (in which case Certificate
416
Manager will not connect you to the site).</li>
419
<h3 id="server_certificate_not_yet_valid">Server Certificate Not Yet Valid</h3>
421
<p>Like a credit card, a driver's license, and many other forms of identification, a
422
<a href="glossary.html#certificate">certificate</a> is valid for a specified period of
425
<p>Certificate Manager warns you when you attempt to visit a web site whose server
426
certificate's validity period has not yet started. The first thing you should do is make
427
sure the time and date displayed by your own computer is correct. If your computer's clock
428
is set to the wrong date, Certificate Manager may treat the server certificate as not yet
429
valid even if this is not the case. </p>
431
<p>If your computer's clock is set correctly, you need to make a decision about whether to
432
trust the site. This decision depends on what you intend to do at the site and what else
433
you know about it. Most commercial sites will make sure that the validity period for their
434
certificates has begun before beginning to use them. </p>
436
<p>You can take these actions from the Server Certificate Not Yet Valid dialog box:</p>
439
<li><strong>View Certificate:</strong> To examine information about the certificate,
440
including its validity period, click View Certificate.<br/></li>
441
<li><strong>OK:</strong> If you have reason to believe the problem is an inadvertent error,
442
you may choose to click OK to accept the certificate anyway for this session, and let
443
the webmaster for the site know about the problem.<br/><br/>
444
Be cautious about any actions you take while you are visiting the site.<br/></li>
445
<li><strong>Cancel:</strong> If you suspect that there may be a significant problem and you
446
don't want to risk visiting the site at all, click Cancel (in which case Certificate
447
Manager will not connect you to the site).</li>
450
<h3 id="domain_name_mismatch">Domain Name Mismatch</h3>
452
<p>A server <a href="glossary.html#certificate">certificate</a> specifies the name of the
453
server in the form of the site's domain name. For example, the domain name for the Mozilla
454
web site is <tt>www.mozilla.org</tt>. If the domain name in a server's certificate
455
doesn't match the actual domain name of the web site, it may be a sign that someone is
456
attempting to intercept your communication with the web site.</p>
458
<p>The decision whether to trust the site anyway depends on what you intend to do at the site
459
and what else you know about it. Most commercial sites will make sure that the host name
460
for a web site certificate matches the web site's actual host name.</p>
462
<p>You can take these actions from the Domain Name Mismatch dialog box:</p>
465
<li><strong>View Certificate:</strong> To examine information about the certificate, click
466
View Certificate.</li>
467
<li><strong>OK:</strong> If you have reason to believe the problem is an inadvertent error,
468
you may choose to click OK to accept the certificate anyway for this session, and let the
469
webmaster for the site know about the problem.<br/><br/>
470
Be cautious about any actions you take while you are visiting the site, and treat any
471
information you find there as potentially suspect.</li>
472
<li><strong>Cancel:</strong> If you suspect that there may be a significant problem and you
473
don't want to risk visiting the site at all, click Cancel (in which case Certificate
474
Manager will not connect you to the site).</li>
477
<p>If you decide to accept the certificate anyway for this session, you should be cautious
478
about what you do on the web site, and you should treat any information you find there as
479
potentially suspect.</p>