Establishing a Secure Session

Upon establishing a preliminary connection with a target server, the Personal Communications client is presented a certificate by that server; if you have enabled client certificate authentication, your certificate is likewise presented to the server. The digital signature of the CA is authenticated using a published root certificate of the issuing CA. The client automatically decrypts certain information on the presented certificate using a public key on the CA's root certificate. This step is successful only when the presented certificate was encrypted using a well-guarded, unique, and corresponding private key, known only to the CA. This process can detect (and reject) intentional alterations (forgeries) and the rare garbling that can occur over data circuits.

Personal Communications also allows users to use self-signed certificates for this purpose.

Note:

Windows® 8, Windows® 8.1, and Windows® 10 do not support self-signed client certificates. If you attempt to connect a client authentication session using the Microsoft CryptoAPI security provider and a self-signed client certificate, the connection will fail.

Once this certificate-issuer authentication step succeeds, the client and server negotiate to agree on an encryption key to be used during the ensuing data exchange session.