Public Keys, Private Keys, and Certificates

The various root programs are run by the likes Microsoft, Apple, Mozilla and Google. A root program, or root store, is a collection of root CA certificates. Every connected device uses one of these root stores. To be trusted, a CA needs to have its root included in all of these root stores. That’s where the social trust comes in. A root certificate is a digital certificate that belongs to the issuing Certificate Authority. It comes pre-downloaded in most browsers and is stored in what is called a “trust store.” The root certificates are closely guarded by CAs. Intermediate Certificate. Intermediate certificates branch off root certificates like branches of trees. RapidSSL Cheap SSL Certificates: Buy RapidSSL Certificate at 82% Lower Price from Official RapidSSL Website. Plus get Symantec, GeoTrust & Thawte SSL Certificate for very low prices.

When performing authentication, SSL uses a technique called public-key cryptography.

You can obtain a certificate from a Certificate Authority (CA) such as VeriSign. Alternately, you can create a self-signed certificate, in which the owner and the issuer are the same. An organization that issues certificates can establish a hierarchy of CAs. The root CA has a self-signed certificate.

Public-key cryptography is based on the concept of a key pair,which consists of a public key and a privatekey. Data that has been encrypted with a public key canbe decrypted only with the corresponding private key. Conversely,data that has been encrypted with a private key can be decrypted onlywith the corresponding public key.

The owner of the key pair makes the public key available toanyone, but keeps the private key secret.

A certificate verifies that anentity is the owner of a particular public key.

Certificatesthat follow the X.509 standard contain a data section and a signaturesection. The data section includes such information as:

• The Distinguished Name of the entity that owns thepublic key

• The Distinguished Name of the entity that issued thecertificate

• The period of time during which the certificate isvalid

• The public key itself

You can obtain a certificate from a Certificate Authority(CA) such as VeriSign. Alternately, you can createa self-signed certificate, in which the ownerand the issuer are the same.

An organization that issues certificates can establish a hierarchyof CAs. The root CA has a self-signed certificate. Each subordinateCA has a certificate that is signed by the next highest CA in thehierarchy. A certificate chain isthe certificate of a particular CA, plus the certificates of any higherCAs up through the root CA.

To fix this issue, update the root certificates on the computer. If the computer has internet access, launch Windows Update. The download and installation of the updated root certificates occurs automatically in the background. You do not need to take additional action.

If the computer does not have internet access, use the process below to download then install the necessary files. Both certificates are required to properly validate the Symantec Endpoint Protection binaries.

Note: As of 12.1.5, if the required certificates are missing, Symantec Endpoint Protection installs the certificates during installation instead of prompting you to install them.

The Windows interface for adding certificates may look slightly different depending on your version of Windows. Symantec Technical Support does not officially support this process; these instructions are provided for your convenience.

Process to update the necessary root certificates

I. Download the necessary certificates.
II. Add the Certificate snap-in, if needed.
III. Install the Symantec Class 3 Public Primary Certification Authority - G5 certificate.
IV. Install the Symantec Class 3 Code Signing 2010 CA certificate.

I. To download the necessary root certificates

1. Download roots.zip:
   http://www.symantec.com/content/en/us/enterprise/verisign/roots/roots.zip
2. Extract all files from roots.zip file into an empty folder.
3. Download the intermediate code signing certificate:
   https://knowledge.digicert.com/content/dam/digicertknowledgebase/library/VERISIGN/ALL_OTHER/Certificates/Code2010/VeriSign_Class_3_Code_Signing_2010_CA.cer
   Please review DigiCert KB for more information about installation and support: https://knowledge.digicert.com/solution/SO19140.html
4. Using an internal network connection, or physical media such as a thumb drive, bring these files to the computer on which you need to update the root certificates.
   

II. To add the Certificate snap-in

1. Click Start > Run and then enter MMC.
   The Microsoft Windows Management Console opens.
2. Under Console Root, check for Certificates (Local Computer).
   Note: If this snap-in is already present, skip to III.
3. Click File > Add/Remove Snap-in. Under Available snap-ins, click Certificates, and then click Add.
4. In the Certificates snap-in dialogue, click Computer account, and then click Next.
5. Ensure that Local computer is selected, and then click Finish.
   

III. To install the Symantec Class 3 Public Primary Certification Authority - G5 certificate

1. While in the Microsoft Windows Management Console, click to expand Certificates (Local Computer), and then expand Trusted Root Certification Authorities.
2. Right-click Certificates, and then click All Tasks > Import.
3. In the Certificate Import Wizard dialogue, click Next.
4. Click Browse to navigate to VeriSign Class 3 Public Primary Certification Authority – G5.cer. Double-click this file, and then click Next.
   You can find this certificate in the extracted roots.zip file in the folder VeriSign Root CertificatesGeneration 5 (G5) PCA.
5. For Certificate Store, ensure you place the certificate into Trusted Root Certification Authorities, and then click Next.
6. Review the settings, and then click Finish.

The Certificate Import Wizard should report success.

IV. To install the Symantec Class 3 Code Signing 2010 CA certificate

1. While in the Microsoft Windows Management Console, click to expand Intermediate Certification Authorities.
2. Right-click Certificates, and then click All Tasks > Import.
3. Click Browse to navigate to VeriSign_Class_3_Code_Signing_2010_CA.cer. Double-click this file, and then click Next.
4. For Certificate Store, ensure you are placing the certificate into Intermediate Certification Authorities, and then click Next.
5. Review the settings, and then click Finish.

The Certificate Import Wizard should report success.

Verisign Root Certificate Authority

It may also be necessary to delete one or more Symantec/Verisign certificates in the 'Untrusted Certificates' folder that display the following error upon review of the actual root certificate 'This certificate has been revoked by its certification authority' before following the steps above. When you discover that one of the certificates shows up as 'revoked' even though Symantec/Versign did not revoke the certificates, it typically means that the certificate was either moved or copied to the 'Untrusted Certificates' store on the local machine.