Traditionally, computer systems use a centralized account database to manage user accounts and access control. However, as computer systems become more and more distributed with thousands to even millions of users, this centralized control becomes unwieldy. The problems of the centralized control range from network delays caused by the geographical distance to the centralized database, to inefficiency in the access to the centralized database caused by the sheer number of users.
Certificates can often simplify these problems. Certificates can be widely distributed, issued by numerous parties, and verified by examining their contents without having to refer to a centralized database. A user can obtain a client certificate from a trusted third-party organization, which is usually referred to as a certification authority, and submit the client certificate in a login request to identify the system from which the login request originates.
Conventionally, a host system uses the client certificate issued to a user's client system to authenticate the user. Thus, as part of the login process, the user is required to submit the client certificate to gain access to the host system. The use of the client certificates has greatly improved the management of account access. However, the use of client certificates has traditionally been limited to authentication during a login process.