Certificate Management overview

The main purpose of Certificate Management (also known as certman) is to provide validation services according to the PKIX Certificate and CRL profile for public keys given the following: a set of one or more End Entity (EE) and intermediate Certification Authority (CA) certificates supplied by an EE, and a local store of CA certificates which are directly trusted by the user ('root' certificates).

Services provided by certman include:

• Storage and retrieval of certificates

• Assignment of trust status to a certificate on an application by application basis

• Certificate chain construction and validation

• Verification of trust of a certificate.

A subsidiary role of certificate management is to enable users to add and delete root certificates, and edit their trust settings.

Certman is composed of a hierarchy of sub-components. Each one is implemented as a DLL and in most cases exposes a public API. The following figure shows the relationship between the different sub-components/APIs.

As shown, certman functionality is divided into several DLLs, this enables client code to use a particular area of functionality without having to use the rest. For example, a client may want to use X.500 DNs without the X.509 certificate functionality (e.g., for general LDAP queries).

Further, these DLLs may be catergorised into one of two groups (group membership is determined by the type of certificate features offered):

• Common certificate features

  Features that should be common across many types of certificates

  For example: certstore.dll and crypto.dll, as they are usable for any certificate format

• Specific certificate features

  Features that are specific to a particular certificate format

  For example: x500.dll, x509.dll, and pkixcert.dll, as they are specific to the X.509 specification (although x500.dll may be used without the other two).