The DCE certification service provides for the secure retrieval of public keys, stored (through the DCE directory service) under the names of the principals with which the keys are associated. It is a name-to-public key translation service intended to be used both by DCE components and DCE applications. The keys are stored in data structures called "certificates."
Rules that define which entities are trusted to create certificates for which principals are embodied in policy modules, which have the job of retrieving, upon request, the public keys from the certificates (and verifying the certificaes themselves when doing so).
DCE certification is a "secondary'' facility, in that the service it provides is useful only in the context of some other application activity. Essentially, it does nothing but return public keys when presented with principal names (provided that the public keys have been properly stored under the names in the first place). It is then up to the application to do something useful with the keys.
This topic is not intended to provide detailed guidance on how DCE applications should use public keys, although some discussion of public key usage is included. It is mainly concerned with explaining how DCE applications can use the certification service to store and retrieve the keys.