A certificate is a set of data that identifies an entity. A trusted organization assigns a certificate to an individual or an entity that associates a public key with the individual. The individual or entity to whom a certificate is issued is called the subject of that certificate. The trusted organization that issues the certificate is a certification authority (CA) and is known as the certificate's issuer. A trustworthy CA will only issue a certificate after verifying the identity of the certificate's subject.
Public key encryption is a cryptographic technique which enables users to securely communicate on an insecure public network, and reliably verify the identity of a user via digital signatures.
A Public Key Infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository, and revokes them if needed.
A PKI consists of:
- A certificate authority (CA) that both issues and verifies the digital certificates.
- A registration authority which verifies the identity of users requesting information from the CA
- A central directory -- i.e. a secure location in which to store and index keys.
- A certificate management system
简单来说,PKI就是用来创建、存储和分发数字证书的系统。它包括4部分:CA负责发出和验证数字证书;RA负责验证用户身份;central directory负责保存和索引key;还有就是一个certificate管理系统。
Certificate Hierarchy
As the number of issued certificates in a public key infrastructure (PKI) increases, it can become difficult for a single certification authority (CA) to effectively track the certificates it has issued. One way to address this is to create a certificate hierarchy in which the CA delegates the authority to issue certificates to subordinate authorities which can, in turn, delegate authority to their subordinates. Each CA delegates authority by issuing a CA certificate to a subordinate. The initial CA in the chain is called the root, and it is not necessary for an entity to establish trust with any CA that resides on a different Certificate Chain from that on which the entity resides.
一个实体是没有必要跟不在同一证书链上的CA建立信任关系的。比如下图中的Contoso Manufacturing Subordinate CA-1是没有必要跟Contoso Marketing CA建立信任关系的。
The following illustration shows a certificate hierarchy made up of one root CA, two CAs subordinate to the root (one for the marketing department and one for the manufacturing department), and CAs that are subordinate to these.
Certificate Chain
A certificate chain is a hierarchal collection of certificates that leads from the end user or computer back to a root of trust, typically the root certification authority (CA) of an organization. Because all parties presumably trust the root certificate, a party can gain trust in an end-entity certificate by verifying the certificate chain. Verification typically requires establishing that each certificate in the chain:
- Is signed by the public key in the prior certificate.
- Has not expired.
- Has not been revoked.
- Conforms to the policies specified by prior certificates.