Feb. 11, 2011, 8:30 a.m.
posted by gelassen
You can think of a Certificate Authority (CA) as the king. He is the ultimate authority and a figure of great trust. He is in charge of making identity papers for all his subjects. He signs these papers and stamps them with the Royal Stamp. Along with the identity papers he lists what responsibilities and privileges the bearer has. Because the king has issued and signed these papers, all subjects of the PKI kingdom trust these papers.
In order to set up a working PKI, you have to go to the king of the PKI kingdom and ask for one of these identity papers. This identity paper identifies you to the PKI kingdom and also spells out what tasks you are allowed to do. When the king is satisfied that your identity has been verified, he signs that paper for you. By magic, two keys have appeared in your pockets that are linked to the identity paper. The king keeps a copy of the paper for future reference. This paper is your Digital Certificate. Each Digital Certificate contains the following information:
Certificate Version — The X.509 version number (that is, 1, 2, or 3).
Serial Number — A certificate serial number that uniquely distinguishes this certificate from all other certificates issued by the same king (CA).
Signature Algorithm Identifier — Information about the algorithm used by the king.
Issuer Name — The name of the king (certificate’s issuing CA).
Validity Period — The activation and expiration date of the certificate.
Public Key — The public key.
Subject Distinguished Name — A name specifying the certificate’s owner.
Subject Alternate Name Email — The owner’s e-mail address.
Subject Alternate Name URI — The owner’s Web site URI/URL.
All PKI kingdoms have agreed on the format of Digital Certificates, so they all have the same types of data in the same format. That means they are able to exchange digital signatures between kingdoms (companies or organizations) and that all kingdoms will accept the identity of the bearer and the description of the certificate’s uses.
One more thing: The king doesn’t really give out Digital Certificates out of the goodness of his heart. He doesn’t have this huge altruistic streak that makes him want to make online transactions more secure. No, this is a business to him and, like all businesses, he charges for his services. And he charges a lot. So, if you need a lot of certificates from the king (CA), it could get very expensive!
So in the real world, this all translates as follows:
You request is sent to a Certificate Authority like Entrust, Verisign, GeoTrust, Baltimore, Thawte, and so on. The request includes verifiable personal information about you like a driver’s license number or a passport number.
The CA issues you a Digital Certificate after you have completed the application. During the application process, your computer has generated both the public and private keys that are linked to the Digital Certificate.
In order to get your certificate signed by the CA, you send in notarized paperwork to the CA’s office. After they verify your identity, they sign the certificate. This is called a root signed certificate.
The above is a very simplified example of how the system works. It can get much more complex when Digital Certificates are used in the corporate world. Businesses can get their own Digital Certificates or they can have their own internal CAs. Certificates can be issued to either computers or individuals, too. But if you just want a Digital Certificate to be able to use S/MIME encryption with your e-mail program, you can contact one of the companies I mention and get one for yourself. Individual certificates are sold to individuals for a moderate fee.
If you own a Web site or conduct some form of e-commerce and you want to conduct business online, you will need to have Digital Certificates issued by a CA. If you want to set up a PKI system for your company, you will also have to have Digital Certificates. If you don’t want to deal with any of the public third-party CAs, you can set up your own kingdom and crown yourself as king! Install Certificate Authority software (or use the CA software included with most major Web server software), and you can issue your own Digital Certificates.
You can check out free software such as OpenSSL or SSLeay which have CA services. Microsoft has included CA services in their server software for a number of years now.
Many small businesses operate their Web sites and e-commerce sites this way or have set up their own internal PKI systems with their own CAs. In effect, you become your own trusted root and can sign all the certificates that you issue certificates to your desktop PCs and servers and to individuals.
Setting up your own CA takes a moderate amount of skill and the ability to sit at a server for quite a long period in order to complete the configuration and testing process. It’s not terribly difficult but it isn’t easy-peasy, either. There are a lot of windows, dialog boxes, forms to fill out, and tons of questions to answer. It requires good concentration and patience more than anything else. For that reason, I recommend that you at least read through the step-by-step instructions first. Almost all CA software products and their installation information can be found online. You may want to print out the document and read it over when you’ve got the time to take it all in.
Sometimes the PKI kingdom and the king are overwhelmed or tired of having to process all the certificate paperwork all of the time. It’s time then to delegate responsibility to someone else. Enter the Registration Authority (RA). It’s like the prince of the PKI kingdom and he can do things under the king’s authority.
The prince is a lower-level authority than the king, and in many respects can be seen as subservient to the king. The king tells the prince what authority he has and what duties he can undertake. In most situations, the prince acts as a middleman between the person requesting a Digital Certificate and the king. That’s because the king can sometimes be overwhelmed with requests coming from many different entities and the prince can help take a load off. Often the prince will process applications for identity papers (Digital Certificates) and sometimes give temporary papers until he can verify the person’s identity and then he forwards the identity papers to the king for him to sign.
If you have a small organization or a small e-commerce business, you probably won’t need an RA. As I indicate above, the RA is a type of support vehicle for a CA that gets overwhelmed with requests. You’ll most often find RA in large organizations that have many offices. Each office can have its own RA with the CA located at the headquarters building. The RAs can store up their requests for signed Digital Certificates and then forward them to the CA to handle all in one batch. An RA has its own digital signature (which identifies it as an RA) that is issued by the CA and gives the RA authority and permission to issue Digital Certificates. The RA’s Digital Certificate is signed by the CA to show that it is authentic. When an RA issues certificates, it creates a chain of records indicating the issuance and signing process. Not so amazingly, this downward delegation is called chaining certificates. If you were to examine the details of a Digital Certificate issued by an RA, you would see a hierarchical relationship and the certificates at the top of the hierarchy signify a higher level of trust and authority than those at the bottom of the hierarchy.