Digital certificates should not be a SOX compliance requirement. Digital certificates are primarily used for two purposes: authentication and encryption. For a digital certificate to be trusted, there must be a trusted root that all parties “trust” (like a Verisign or Geotrust). This means that the owner of the certificate is who they say they are. The encryption part of a digital certificate is provided by public/private keys. The certificate usually includes the public key of the owner. This is what is used for encrypted sessions to this owner. I wrote a <a href=”http://itknowledgeexchange.techtarget.com/it-trenches/certificates-who-do-you-trust/”>blog about trust and digital certificates</a>. Check it out. I will be glad to answer any additional questions on this topic.
In the IT trenches? So am I – read my <a href=”http://itknowledgeexchange.techtarget.com/it-trenches”>IT-Trenches blog</a>
*note to Puneet – Great additional material but please add your comments to the bottom of existing answers, Do not delete existing content. This is the moderator’s responsibility. Thanks. Troy Tate
Just to add, the SOX compliance requirement for Certificates broadly covers two controls:
* enable Web-based authentication using a broad range of identity types, including usernames and passwords, SAML, Microsoft Passport, and digital certificates stored on a user’s computer or on a hardware smart card, token, or biometric device
* enable strong authentication in a client-server environment, helping to ensure that only strongly authenticated users are able to access sensitive information contained in encrypted files, folders and email messages
Data Protection & Integrity
Internal controls around both data access and data integrity can be enforced through the use of encryption and digital signatures, respectively. Data contained in files, folders, or email messages can be encrypted to prevent unauthorized access due to security breaches or weak access controls. That same data can be digitally signed to provide both transaction accountability and data integrity, supplying organizations not only with information on who signed the data, but also verification that it did not change from the time it was signed, regardless of whether it traveled across the Internet or was stored locally.
hope this helps