questions about the PKI and how the certificate works

Jan 17 2010 8:22 PM

in the microsoft website, there's someting about how the certificate woks. here is the link:http://technet.microsoft.com/en-us/library/cc776447(WS.10).aspx .   now come to the topic of How Certificates Are Created.:
 
Certificates are issued by a CA, which can be any trusted service or entity willing to verify and validate the identities of those to whom it issues certificates and their association with specific keys. Companies might issue certificates to employees, schools might issue certificates to students, and so on. Of course, a CA's public key must be trustworthy or the certificates it issues will not be trusted. Because anyone can become a CA, certificates are only as trustworthy as the authority that issues the underlying keys.
The following six steps describe the process of requesting and issuing a certificate.
  1. Generate a key pair The applicant generates a public and private key pair or is assigned a key pair by some authority in his or her organization.

  2. Collect required information The applicant collects whatever information the CA requires to issue a certificate. The information could include the applicant's e-mail address, birth certificate, fingerprints, notarized documents โ€” whatever the CA needs to be certain that the applicant is who he or she claims to be. CAs with stringent identification requirements produce certificates with high assurance โ€” that is, their certificates generate a high level of confidence. CAs themselves are said to be of high, medium, or low assurance.

  3. Request the certificate The applicant sends a certificate request, consisting of his or her public key and the additional required information, to the CA. The certificate request, which is signed with the client's public key, can also be encrypted by using the CA's public key. Many requests are made by using e-mail, but requests can also be sent by postal or courier service โ€” for example, when the certificate request itself must be notarized.

  4. Verify the information The CA applies whatever policy rules it requires to verify that the applicant should receive a certificate. As with identification requirements, a CA's verification policy and procedures influence the amount of confidence generated by the certificates it issues.

  5. Create the certificate The CA creates and signs a digital document containing the applicant's public key and other appropriate information. The signature of the CA authenticates the binding of the subject's name to the subject's public key. The signed document is the certificate.

  6. Send or post the certificate The CA sends the certificate to the applicant or posts the certificate in a directory, as appropriate.

i just cannot understand the process in the step 3 : "The certificate request, which is signed with the client's public key, can also be encrypted by using the CA's public key." why is the certificate req is signed with the client's publickey not the privatekey? and it's that the private is used for signing and public key used for encrypting, isn't it ?