Security Overview

This topic covers:

What is a digital certificate?
Where do I get a certificate?
How does the authentication process work?
What is a certificate store?
What are the system store and the machine store?
What is the X500 naming convention?

What is a digital certificate?

Authentication is important for secure communications. Users must be able to prove their identity to the entities they are communicating with. In addition they must be able to verify the identity of the entity communicating with them. This is accomplished by presenting or verifying some form of trusted credentials.

A digital certificate is a common credential that provides authentication. A trusted organization, called a Certificate Authority (CA), assigns a certificate to a user or entity and the user or entity then uses the certificate to prove itself to the other side. You may configure your system to accept any number of Certificate Authorities. Completing the following steps to access the Certificates dialog box:

In the Control Panel, double-click Internet Options.
Select the Content tab, and then click Certificates.

Where do I get a certificate?

Certificates must come from a trusted CA. A user submits a certificate request to a CA and the CA returns a certificate for the user to use. Listed below are some Certificate Authorities:

Microsoft Certificate Server – used for internal corporate Certificate delegation
VeriSign – (www.verisign.com) provides certificates for Internet users and servers

You always need a digital certificate installed to operate as a server. You only need a digital certificate installed on a client if the server requests authentication.

How does the authentication process work?

The client normally initiates the TCP connection. The Connect method makes this TCP connection, sends a "client hello" message, and automatically responds to authentication requests received from the server.
The server accepts the connection initiated by the client, constructs its digital credentials from the digital certificate referred to by the Certificate Property, and sends its credentials to the client.
Optionally, the server may also send an authentication request to the client.
The client receives the server's credentials, verifies it against the CAs it is configured to trust, and responds with its own credentials if an authentication request is received.
If the client and server cannot negotiate a mutually acceptable security protocol, an error is generated and the connection is closed.
If the client cannot validate the server's credentials, an error is generated and the client closes the connection.
If the server cannot validate the client's credentials (if requested), an error is generated and the server closes the connection.
Once protocol negotiation and authentication is successful, secure encryption/decryption is performed on all data passing over the connection.
The session is terminated when one side closes the connection.

What is a certificate store?

A certificate store is a location on the system (memory, disk, registry, etc.) where certificates are stored for use. There are three major system stores and other minor stores. The three major stores are:

MY – personal certificates go here
ROOT – certificates for Trusted Root Certificate Authorities
CA – all other certificates

There are other certificate stores. For example, the store "SPC" contains software publisher's certificates. For more information see the CertificateStoreName enumeration.

What are the system store and the machine store?

The system store is the certificate store located in the HKEY_CURRENT_USER registry key. The machine store is the certificate store located in the HKEY_LOCAL_MACHINE registry key. Applications installed as a service should store their certificates in the machine store since there is no current user when running as a service.

What is the X500 naming convention?

This is a format for creating a distinguished name. The different parts of the name are described below:

C – country you are in (ex. US)
S – state you are in (ex. New York)
L – locality value or city (ex. Syracuse)
O – your organization (ex. Dart)
OU – organizational unit (ex. Development)
CN – common name; typically the name of the system or user (Ex. MyMachine)

Here are some examples of X500 names:

C=US, S=New York, L=Syracuse, O=Dart, OU=Development, CN=My Machine
C=US, S=Georgia, L=Atlanta, O=MyOrg, OU=Toy Department, CN=John Doe

In This Section

Security Overview: Provides an overview of basic security concepts such as digital certificates and authentication.
PowerTCP Secure Implementation Explained: Discusses how security is implemented in PowerTCP SSL Sockets for .NET
Creating an SSL Client: Discusses how to create an SSL Client using the Tcp component.
Creating an SSL Server: Discusses how to create an SSL Server using the Server component.
Using the CertificateListForm Object: Demonstrates how to use the CertificateListForm to assist users in selecting a certificate.
Using MMC to Manage SSL Certificates: Discusses how to use the Microsoft Management Console to manage SSL certificates.
Simple Encryption/Decryption: Demonstrates how to use the SymmetricCryptoStream to encrypt/decrypt stream-based data.
Windows 95/98 Security Compatibility: Discusses compatibility issues with Windows 95 and 98.

Send comments on this topic.

Documentation version 1.1.2.0.