The focal point of a PKI setup is the Certificate Authority, CA. The CA works as the Management hub for the digital certificates.
Considering that load on the CAs, some setup use an additional server called the Registration Authority (RA). The RA takes off some of the load from the CA by handling the verification of the data submitted to CA before the issue of the digital certificates. The RA acts as an interface between the user and the CA. The RA is generally found in the hierarchical model where the work load of the CA may need to be offloaded.
One of the main requirements of PKI is to be able to store public keys and certificates at a location that can be accessed by public. The public and the private key is created at the same time using the same predefined algorithm.
A digital certificate is a collection of predefined information related to the a component of the PKI setup, called the Public Key. The digital certificates use the X.509 standards. The X.509 standards allows the association between the users Distinguished name and the public key. The Distinguished Name is provided by the Naming authority and is used as a unique number while creating the certificate. A X.509 certificate generally contains the following:
- Serial Number:
- Subject: Name of the organization or the person identified.
- Signature Algorithm
- Valid From:
- Valid To:
- Public Key
- Thumbprint Algorithm
Certificate Policy is the set if rules that indicate how exactly the certificate may be used. The CP is a plain text document that is assigned a unique object id so that anyone can reference it. A certificate can be used under multiple policies. For example, a digital certificate can be sued for:
- Access control
- Setting up of trusted connection
- System sign on
- Digitally sign documents.
Certificate Practice Statements explain how to implement the Certificate Policy. It describes how the CA plans to manage the certs it issues. All CAs should have CPS.
Digital certificates are revoked when the information they contain are no longer valid or trusted. The most common reason for the revocation of the digital certificates is the compromise of the private key. Note that certificate Revocation is different from Certificate expiration. A certificate can be revoked by the CA by confirming with the certificate owner or the PKI administrator.
Certificate Revocation List: X.509 standards require that a CRL gets published. CRLs contain the revocation status of =certificates that the CA manage. CRLs can be:
- Simple CRL
- Delta CRL
OCSP- Online Certificate Status Protocol: Returns the following details about a certificate queried:
- The cert status (good/revoked/unknown)
- The last update on the cert status
- The next time the status will be updated.
- The time when the response is sent.