Some stuff about PKI
PKI or Public Key Infrastructure is a strange thing.
Or rather it is a somewhat hard to grasp issue.
Most of this will be about PKI in a Microsoft environment but the basics are applicable on PKI as a concept.
CA or Certificate Authority is the supplier of certificates, the structure is somewhat like DNS with the TLD at the top and subordinates in a chain,
though with PKI it is all about TRUST!
Who do I trust and who trust Me.
If you trust me, you will automatically trust all I have done/made.
jumping abit there..
A CA gives out certificates.
A certificate is somewhat like a Identificationpaper/driverslicense/passport, it prooves that the CA highest in a/the ”chain of trust” has deemed
the certificate holder as Identified.
this does not mean that everyone and everything will belive it though, the number of ”believers” are based on the trusting parts.
Digisign, Verisign and a bunch more is CA´s that are trusted ”to the core”.
Why?
Check your windows installation….
Start –> Run –> [type] mmc [ok] –> File –> Add/remove snapin –> [mark] Certificate –> [ok]
Click the second item in the ”right pane” (should say ”trusted root ….. ” something)
expand it and mark the Certificate folder.
All listed within this folder are Trusted to give out certificates that you will automatically trust.
Secure?
Well ask the dutch government, or do a google search on the term ”Diginotar” 
if you in the list look at the 4th collumn you´ll see something called ”key usage”, this lists the function each provider can issue.
All certificates have a key usage thing, this is made through the usage of (creator) templates.
A set of settings that will be used during a creation of a new certificate.
Many companies use certificates internally, to keep control or track of computers users and servers on their network, those solutions are usually named
internal PKI. The CA on the corp network are seldom a public one, it is just used as an internal provider.
Other common usages of internal PKI is supplying WLAN authentication, VPN authentication, S/MIME signing email or cryting email (not so common) and a whole bunch more.
Crypting stuff is somewhat hard to implement, at least when doing it ”outwards”, since the PKI are built on 2 keys, one public and one private.
The holder has the private, and the public is public 
(no shit sherlock)
To be able to encrypt you gotta know the public part of the recievers certificate, and you use yer private part and their public together to
create the magic, when the counterpart recieves the crypted mail, they use their own private key and your public part to decrypt it.
Magical stuff hu?
This sounds simple enough, but in fact it is abit hard.
Signing is the process och using your private cert and sign the mail/document with, if you on the recieving end or reading end are in fact a trusted one (i.e in the chain of trust CA´s)
you will have verified that you are you and that the mail/doc hasnt been tampered with.
Hopefully I´ll find abit o time to write more soon
Ovah and 0ut!