Overall System Status:
PKI is the acronym for Public Key Infrastructure. The technology is called Public Key because, unlike earlier forms of cryptography, it works with a pair of keys. One of the two keys can be used to encrypt information that can only be decrypted with the other key. One key is made public and the other is kept secret. The secret key is usually called the private key. Since anyone can obtain the public key, users can initiate secure communications without having to previously share a secret through some other medium with their correspondent. The Infrastructure is the underlying system needed to issue keys and certificates and to publish the public information.
A public key needs to be associated with the name of its owner. This is done by using a public key certificate, which is a data structure containing the owner's name, their public key and e-mail address, validity dates for the certificate, the location of revocation information, the location of the issuer's policies, and possibly other information such as their affiliation with the certificate issuer (often an employer or institution). The certificate data structure is signed with the private key of the issuer so that a recipient can verify the identity of the signer and prove that the data in the certificate has not been altered. Public Key Certificates are then published, often in an LDAP directory, so users of PKI can locate the certificate for an individual with whom they wish to communicate securely.
A secret key allows two transformations of data to occur. Plain text is transformed to cipher text, which is unreadable until it is transformed back to plain text using the secret key. A public key system uses the Encrypt and Decrypt functions to implement two primitive operations, data encryption and signatures.
To encrypt data, the public key of the recipient is used to transform a plain text message to cipher text. The cipher text of the message can be converted back to plain text only by using the corresponding private key. Since this private key is known only by the intended recipient, only that individual can decrypt the message.
A signature is created by transforming plain text to cipher text using the private key of the signer. A signature is verified by looking up the public key of the signer and attempting to transform the cipher text of the signature back to plain text. If the operation is successful, it verifies that the data encryption was done with the corresponding private key. This implies that the signature was produced by the owner of that private key.
PKI certificates issued by Dartmouth College onto eTokens are currently valid for four years or until the owner's account expires in the DND. PKI certificates issued onto a computer's hard drive are currently valid for two years or until the owner's account expires in the DND. You do not need to get another certificate until the one you have expires. You can get more than one certificate, but having more than one may cause problems in other PKI applications.
At this time there is no way to recover a forgotten password for a certificate. You will need to get a new certificate or import one from a backup you previously exported.
Export it and save the file. For details, see Moving Certificates Between Computers and Browsers.
When creating a certificate, your computer's clock must be set to the correct time. If you get a message that the clock on your computer does not match the time on the server, you will need to reset the date and time in the Date & Time Control Panel (Windows) or the Date & Time system preference (Macintosh). Most systems offer the option of synchronizing your computer with a network time server. You may need to quit and restart your web browser after resetting the time and date for the correct time to become effective.
Typically one of two reasons: the web page doesn't allow access via PKI, or your PKI certificate is not installed properly for the web browser you are using. For additional information on making sure your PKI certificate is properly installed, see Testing a Certificate under your browser type in Getting a Certificate.
Other web browsers, such as OmniWeb, Konqueror, Chimera, or Galeon, include support for client PKI certificates. Their operation is generally similar to the more widely used web browsers. Look for the corresponding PKI features and follow the instructions to add the certificate.
See Moving Certificates Between Computers and Browsers (follow the instructions provided). It's easier to change browsers than to change computers. Read the browser details information for both browsers (one for getting the certificate out of your first browser, and the other for getting it into the new browser).
Internet Explorer for the Macintosh (all versions) does not include support for client PKI certificates. These versions of Internet Explorer generate an error if you try to connect to a Web site that has SSLVerifyClient set to Optional. Internet Explorer displays the alert, "Security Failure. Personal certificate required." If you are using a Macintosh, you should use Safari, Firefox, or Netscape.
As Internet Explorer has not been developed for the Macintosh for several years, we do not expect this to change.
Because Netscape 6.2.1-6.2.3 has errors in their support of personal certificates for client authentication, we recommend upgrading to Netscape 7.2 or higher.
Older browsers such as Netscape 4.0 sometimes will not display GIF images included on secure pages. We recommend using the latest version of your browser of choice with the exception of Internet Explorer for the Macintosh.
Last Updated: 2/18/10