PKI terminology
Digital certificate
A digital certificate is an electronic document signed by a CA that binds a public key with the identity of its owner.
A digital certificate includes the following information:
Issuer name (name of the CA that issued the certificate).
Subject name (name of the individual or group to which the certificate is issued).
Identity information of the subject.
Subject's public key.
Signature of the CA.
Validity period.
A digital certificate must comply with the international standards of ITU-T X.509, of which X.509 v3 is the most commonly used.
This chapter covers the following types of certificates:
CA certificate—Certificate of a CA. Multiple CAs in a PKI system form a CA tree, with the root CA at the top. The root CA generates a self-signed certificate, and each lower level CA holds a CA certificate issued by the CA immediately above it. The chain of these certificates forms a chain of trust.
Registration authority (RA) certificate—Certificate issued by a CA to an RA. RAs act as proxies for CAs to process enrollment requests in a PKI system.
Local certificate—Digital certificate issued by a CA to a local PKI entity, which contains the entity's public key.
Peer certificate—CA-signed digital certificate of a peer, which contains the peer's public key.
Certificate revocation list
A certificate revocation list (CRL) is a list of serial numbers for certificates that have been revoked. A CRL is created and signed by the CA that originally issued the certificates.
The CA publishes CRLs periodically to revoke certificates. Entities that are associated with the revoked certificates should not be trusted.
The CA must revoke a certificate when any of the following conditions occurs:
The certificate subject name is changed.
The private key is compromised.
The association between the subject and CA is changed. For example, when an employee terminates employment with an organization.
CA policy
A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs. Typically, a CA advertises its policy in a certification practice statement (CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and email. Make sure you understand the CA policy before you select a trusted CA for certificate request because different CAs might use different policies.