Today I will discuss the certificates section of IRMCheck. I plagiarized most of this from an internal note we had, but it was correct, so why not. 🙂
GIC - Group Identity Certificate. This is also known as a Rights Account Certificate (RAC). (I know, I sometimes wish we were consistent with our naming conventions, too) This is the user certificate that is used for authentication. You can use the IRMCheck GIC information to view when the certificate was issued and when it expires. You can also usually determine if it is a permanent or temporary RAC based on these dates. You should check to see if the server that issued the GIC matches the Enterprise Service Discovery Results information. If it does not, it could mean that RMS was reinstalled, or someone monkey'd around with the SCP.
CLC - Client Licensor Certificate. This is the publishing certificate which is required to do offline publishing (i.e the ability to create RMS content...not just read it). Like the GIC, you should check to see if the server that issued the CLC matches the Enterprise Service Discovery Results information. If it does not, this could cause some problems with Office. In addition, below the “Issued By” URL, the CLC also lists the licensing URLs that will be published in every document the user creates. If there are 2 URLs, it means that you have set the Extranet URL on the RMS server (the URL users with access on the internet will connect to). If RMS is failing in an Extranet scenario, you should check the CLC for the Extranet URL. If the CLC does not have the extranet URL, then the content the users publish will not have the extranet URL in the Publishing License (built into the file usually) and the Extranet user won't be able to connect to your internet facing RMS server.
Machine - Machine Certificate. This is the public key certificate to the private key for the machine. The machine key used to be global to the entire machine /w V1 (another major reason to upgrade), but in SP1, each user has their own virtual machine key. When the RMS server issues certificates, they are tied to a particular machine key. The machine certificate information in the IRMCheck is usually not useful except to identify when a client is configured to the pre-production (development) hierarchy.