I’ve encountered quite a few people not quite sure on how certificates work. I posted a rather simplified explenation on the matter on Technet and just wanted to add it here.
Trusts and Certificates
Certificates consists of certificate chains. Look at each link in the chain as a certificate. When ever you browse a https site(SSL), you are requesting the certificate information.
For a certificate to be trusted, you need to trust the top level of the chain(Certificate Authority Root) and sometimes the Intermediate Certificate Authority. If you open a certificate and look at the Certificate Path, you will see this full chain of certificates.
When you buy a certificate from a public provider, the Root and Intermediate certificates are already located in the computers Certificate Store. (Trusted Root Certification Authorities)
This means that you computer already trusts the provider of the certificate and therefore your certificate is also trusted. This also applies to any other Windows computer.
With a self-signed certificate, no one has the provider located in the Trusted Root Certificate Authorities by default. Why should I trust you as a certificate provider anyway? 🙂
Names and certificates
When certificates are created, they are bound to a specific name. This can be either explicitly defined: ‘jesper.contoso.com’ or wildcard: ‘*.contoso.com’
The difference between those two is, jesper.contoso.com will only work for jesper.contoso.com. *.contoso.com will work for James.contoso.com, John.contoso.com or Jesper.contoso.com
The certificate name does not affect what comes after the domain. ‘jesper.contoso.com/rum’ is absolutely the same as ‘jesper.contoso.com/whisky’ in terms of certificates.
A certificate can contain multiple names, called SAN(Subject Alternative Name) – But thats another story, which is not relevant right now.
Keys and Certificates
Not all applications requires the private key. Usually an application in the Microsoft universe will request either .cer (Which is without the private key) or a .pfx (Which is including the private key)
The .cer certificate is used against anything public facing. The .cer can be downloaded from your sites if you view the certificate available. This will not include the private key. A .pfx is obtainable from the server itself by exporting the certificate including the private key. If you cannot export with private key, the certificate either does not include the private key or the private key is not marked for export.