Using the Windows Certificate Viewer

 

 

Software Versions Used in This Document

OS

Microsoft Windows XP Professional, Version 2002, Service Pack

 

This document provides a tutorial/demonstration of viewing PKI certificates using the Windows viewer.

 

Navigate to the “Certificates” Dialog Box. 1

View a Particular Certificate. 4

 

Navigate to the “Certificates” Dialog Box

  1. Start Internet Explorer.
  2. Choose the menu item “Tools -> Internet Options…”.

 

 

  1. Click on the “Content” tab.

 

 

  1. Click on the “Certificates…” button.  The resulting window shows the different kinds of certificates in the Windows store and starts on the tab showing your personal certificates.

 

 

  1. Click on a personal certificate to highlight it.  If you don’t have one, you can enroll to get one.  At Dartmouth, you can learn how to do so by visiting our PKI user web at http://www.dartmouth.edu/~pki.  In this example, I just highlight the lone “Mark J. Franklin” certificate entry.
  2. Click on the “View” button.

View a Particular Certificate

 

  1. Notice that this window shows to whom the certificate was issued, what Certificate Authority issued it, and its validity period.  The certificate in this example also has a private key associated with it.  This key is encrypted in the certificate store.  It is normal to have a private key for your personal certificates, but you won’t have them for other users’ certificates or root certificates.  Some certificates have more restricted purposes (perhaps for encryption only).  If the certificate specifies this, then the “This certificate is intended for the following purpose(s):” section will reflect the specified purposes.
  2. Click on the “Details” tab.  The top pane in the resulting window shows all the fields in the certificate.

 

 

  1. Click on one of the fields (say the “Subject” field).  The certificate viewer will now show the details in that field.

 

 

  1. Notice that this certificate was issued by Dartmouth’s CertAuth1 Certificate Authority.  Other interesting fields visible now are “Serial Number” (a unique number identifying each certificate from this CA), the “Valid from” and “Valid to” dates, and the “Subject” identity information.
  2. Scroll to the bottom of the fields pane.
  3. Click on the “Thumbprint” field.

 

 

  1. Notice the hexadecimal number in the bottom pane.  This is a unique number that you can use to unequivocally identify this certificate.  This is useful to make sure you are using the right certificate for S/MIME or other encryption.
  2. Click on the “Certification Path” tab.

 

 

  1. Notice that the “Certificate status” window in this case indicates that Windows was able to verify the certificate.  This means that Windows trusts the Certificate Authority that issued this certificate, and the certificate has not expired.  We have not yet found any facilities in Windows to check CRLs or OCSP for certificate revocation, so it is possible that the “Certificate status” could be OK even though the certificate has been revoked.  If your certificate was issued by an intermediate Certificate Authority instead of a root CA (it is common for certificates to go either way), then you will see more than one certificate in the certification path.  Each certificate above the leaf certificate is the identity certificate for the CA that issued the certificate immediately below it.  In this case, there is only a root CA.
  2. Click on the root certificate to highlight it.
  3. Click on “View Certificate” which should now be enabled.

 

 

 

  1. Notice that this has just invoked another instance of the Windows certificate viewer to display the root certificate.  You can view details and certification path the same as with the personal certificate.  In this case, the certification path is very simple – just one certificate because the root CA issues its own identity certificate.
  2. Click the “OK” button in both “Certificate” windows to close them.
  3. Click on the “Trusted Root Certification Authorities” tab.  You may not see the “Authorities” part of the name unless you use the “>” button to fully expose it.

 

 

  1. Notice that you have a very long list of trusted root certificates!  Most of these are from companies that have arranged for Microsoft to include their CA’s root certificate(s) in the Windows installation.  Un-expired user or server identity certificates that have a certification path leading to one of these root certificates will be trusted by Windows (unless you explicitly tell Windows to not trust them).  Windows will flag as “un-trusted” user or server identity certificates that don’t have their root certificate in this store or one of the other trusted stores (unless you explicitly choose to trust them anyway).
  2. You can import, export, remove, or view root certificates the same as personal certificates.
  3. Note that not all trusted root certificates are installed by Microsoft.  Below is one automatically installed by the Dartmouth PKI certificate web enrollment process or installed by visiting https://collegeca.dartmouth.edu/rootcert.html.  It is useful for Dartmouth users to have the Dartmouth root certificate installed because we issue campus web and mail server identity certificates with this CA.

 

 

  1. Explore the various panes, certificates, etc.
  2. When you are done exploring, click the “Close” button in the “Certificates” window to close it.
  3. Click the “OK” button in the “Internet Options…” window to close it.

 

 

Modified: 12/8/2003