This site requires JavaScript to be enabled


Intended for: Users who need to use a certificate to access a protected website, application, computer or other resources

Scenario/Use case:

This article provides general information about certificates and how they work.


Certificates provide a way to verify a user's identity on a computer or over a computer network before allowing the user access to a protected website, application, computer or other resources. Typical computer services that require certificate authentication include secure websites, grid services, and email signing and encryption. 

Certificates rely on Public Key Infrastructure (PKI), a virtual "lockbox" technology, in which two keys are needed in order for a user to access the requested resource: a "private" key that the user holds and a "public" key that the user's certificate holds. At Fermilab, the PKI-protected services and resources currently recognize the following type of certificate:

How do certificates work?

A certificate is a digitally-signed statement from a trusted third party that acts as a "middleman" that associates the public key with a name. When a user requests access to a PKI-protected resource, the resource invokes PKI and says "User X requested access. Please check whether User X is really User X." PKI retrieves the certificate it has for User X and requests the user's private key. It then checks whether the combination of public and private keys "opens the lockbox", and reports "yes" or "no" to the resource.

Besides people, certificates can also identify hosts and services.   

See Also: