<P> To do this, it first generates a key pair, keeping the private key secret and using it to sign the CSR . This contains information identifying the applicant and the applicant's public key that is used to verify the signature of the CSR - and the Distinguished Name (DN) that the certificate is for . The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority . </P> <P> The certification authority issues a certificate binding a public key to a particular distinguished name . </P> <P> An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system . Browsers such as Internet Explorer, Firefox, Opera, Safari and Chrome come with a predetermined set of root certificates pre-installed, so SSL certificates from major certificate authorities will work instantly; in effect the browsers' developers determine which CAs are trusted third parties for the browsers' users . For example, Firefox provides a CSV and / or HTML file containing a list of Included CAs . </P> <P> X. 509 and RFC 5280 also include standards for certificate revocation list (CRL) implementations . Another IETF - approved way of checking a certificate's validity is the Online Certificate Status Protocol (OCSP). Firefox 3 enables OCSP checking by default, as do versions of Windows from at least Vista and later . </P>

Which of the following best describes the contents of the certificate chain