A certificate-based encryption mechanism in which a source client does not access the entire certificate corresponding to a destination client when encrypting an electronic message to be sent to the destination client. Instead, the source client only requests a portion of the certificate from a certificate server. That portion includes encryption information, but may lack some or even all of the self-verification information in the certificate. The certificate server preferably performs any validation of the certificate prior to sending the encryption information to the source client. The certificate need not be separately validated by the source client, especially if the certificate server is trusted by the source client.