The CL provides support for the certificate life cycle and for format-specific certificate or CRL manipulation, services that an application can access through OCSF. These libraries allow applications and service provider modules to create, sign, verify, and revoke certificates without requiring knowledge of certificate and CRL format and encoding.

A certificate is a form of credential. Under current certificate models, such as X.509, Simple Distributed Security Infrastructure (SDSI), Simple Public Key Infrastructure (SPKI), etc., a single certificate represents the identity of an entity (in the form of a binding between a name and a public key) and optionally associates authorizations with that entity. When a certificate is issued, the issuer includes a digital signature on the certificate. Verification of this signature is the mechanism used to establish trust in the identity and authorizations recorded in the certificate. Certificates can be signed by one or more other certificates. Root certificates are self-signed. The syntactic process of signing corresponds to establishing a trust relationship between the entities identified by the certificates.

Figure 2 presents the certificate life cycle. It begins with the registration process. During registration, the authenticity of a user's identity is verified. This can be a two-part process beginning with manual procedures requiring physical presence, followed by backoffice procedures to register results for use by the automated system. The level of verification associated with the identity of the individual will depend on the Security Policy and Certificate Management Practice Statements that apply to the individual who will receive a certificate, and the domain in which that certificate will be issued and used.

After registration, keying material is generated and a certificate is created. Once the private key material and public key certificate are issued to a user, and backed up if appropriate, the active phase of the certificate management life cycle begins. The active phase includes:

• Retrieval - Retrieves a certificate from a remote repository such as an X.500 directory.
• Verification - Verifies the validity dates and signatures on a certificate and revocation status.
• Revocation - Asserts that a previously legitimate certificate is no longer a valid certificate.
• Recovery - When an end user can no longer access encryption keys (e.g., forgotten password).
• Update - Issues a new public/private keypair when a legitimate pair has or will expire soon.