This check also validates certificate extensions, which include basic constraints, name constraints, application policy constraints, and issuance policy constraints.
In the hierarchical PKI trust model, each certificate contains a pointer to its parent--or issuing--CA, which is stored in the issuer field of an X.509 certificate.
Figure 1 shows the certificate chain of a user certificate that a CA has issued and that's part of a two-level PKI hierarchy.
The certificate-validation software processes a certificate's certificate chain.
This process can be split into two subprocesses: chain construction and chain validation. During chain construction, the certificate-validation software walks through the certificate's chain starting with the user certificate until it finds a trusted CA certificate (i.e., the trust anchor).
Validating a certificate requires the certificate-validation logic in the PKI-enabled application to perform a series of checks on different parts of the certificate.
Let's examine those checks and other aspects of the certificate-validation process.
You don't want to rely on certificates based on obsolete technology.
The revocation check determines whether the issuing CA has revoked the certificate.
In the Windows Server 2003 and Windows 2000 Server PKI, a trusted CA certificate and public key are known as a trust anchor and are available from the Trusted Root Certification Authorities container in a Windows PKI client's certificate store.
The trust check performs the process of authenticating a trusted CA certificate--a procedure also called certificate-chain validation.
The key can be the public key of the issuing CA or of another CA that's part of the certificate's certificate chain--a hierarchical trust model that I explain later.