Certificate Authority (CA)
In general, the Certificate Authority manages all aspects of PKI certificate management, including the phases of certificate lifecycle management. A CA issues certificates to be used to verify that the subject imprinted on the certificate is the owner of the public key - therefore, authenticating the digital identity of the user. In a PKI system, the client generates a public-private key pair. The public key and information to be imprinted on the certificate are sent to the CA. The CA then creates a digital certificate consisting of the user’s public key and certificate attributes. The certificate is signed by the CA with its private key.
Certificate authorities validate organizations, people and devices by issuing digital certificates, and it is these certificates that are used to encrypt transactions, protect information, and to enable secure communication.
Digital Certificates
Digital certificates enable PKI to function. A digital certificate serves as an electronic identification that facilitates the verification of identities between users during online transactions. PKI enables secure connections between two communicating machines because the identities of the two parties can be verified using certificates.
Registration Authority
The Certificate Authority (CA) authorizes the Registration Authority (RA) to provide digital certificates to users on a case-by-case basis. An encrypted certificate database stores all certificates requested, received, and revoked by both the Certificate Authority and the Registration Authority.
Certificate history and information are stored on what is known as a certificate store, which is typically located on a specific computer and serves as a storage space for all memory related to the certificate history, including issued certificates and private encryption keys. A certificate store can potentially contain certificates from multiple CA’s.
Validation Authority (VA)
A VA enables a company to ensure that a certificate has not been revoked. The VA function is performed by an online facility hosted by an organization that manages the PKI. To advertise revoked certificates, a validation authority will frequently use OCSP or CRL.
Public Key
A Public Key is a cryptographic mathematical key that has public availability and does not require secure storage. Messages encrypted by the public key can only be decrypted by the corresponding private key.
Private Key
The recipient uses a private key to decrypt a message encrypted with a public key. Since the message is encrypted with a specific public key, it can only be decrypted with the corresponding private key. This establishes ownership of the private and public keys, ensuring that the message is only read by those who have been authorized.
Secure Storage
To protect the key from compromise, both the Certificate Authority (CA) and the end entity must have a method of securely storing a private key.
Hardware Security Modules improve the overall security of the PKI. This device safeguards and manages digital keys, laying the foundation for a secure enterprise PKI infrastructure. The HSM contributes to managing the entire lifecycle of cryptographic keys, including key creation, rotation, deletion, auditing, and API integration with various applications. The sole purpose of an HSM is to conceal and protect cryptographic data.