In most enterprise-level public key infrastructure systems, there is a dependence upon certificate chains to verify the identity of a party. When a Certificate Authority (CA) issues a certificate for any party, the legitimacy of that certificate authority must be verified. This is usually done by a higher certificate authority. This higher authority is part of a unique certification hierarchy which is eventually overseen by a root certificate. It is so called because it is the root of the certificate tree or the monarch of the certificate domain.

If we visualize each certificate domain as a tree, the Certification Authorities make up the branches of the tree. Each branch is capable of extending (or issuing) multiple certificates.

While using Public Key Infrastructure (PKI) it is important that the user not restrict his/her understanding to how a root certificate is issued by certificate authorities. Instead, he/she should also try to learn how certificates are cancelled and how the details about such certificate terminations are made available to clients responsible for managing the certificates. Because the entire system works on a security concept, it is only natural that various applications may check for the authenticity of certificates. Each client expects a current, trusted certificate rather than one that has expired, been revoked, or cannot be verified.

The certificate termination information is usually stored in a certification revocation list. However, this is not the only form of notification possible. The applications that have been presented with a certificate will validate a certificates current status by contacting any of the concerned websites for an updated certification revocation list.

For example, in a Microsoft Windows server application, if the application demands the verification status of a certificate, the update root certificate component of the operating system will automatically check the list of trusted certificate authorities in the Windows Update website to see if the corresponding certificate or Certificate Authority is a part of the list. Such cross checking becomes necessary when the application has been presented with a certificate whose CA is not directly trusted or may not be known. Keep in mind, the function of the update root certificate component is optional and can be disabled or removed at the time of installation by the user.

Now, if the user opts to refuse installation of the update root certificate component, it’s possible that technical problems may develop, especially in the event of an application coming across a root certificate that needs an authentication check before it can continue. In such a case, when the application finds that the update root certificate component is absent in the PC, it may stop itself from performing the originally intended action such as software installation, viewing a digitally signed or an encrypted email, or using a browser to engage in an SSL session.

In such instances, it is advisable to provide relevant instructions to the system administrators on what to do if it stumbles across suspicious certificates.