Basic Terms

What is a Certificate?

A PKI ( public-key infrastructure) certificate proves the ownership of a public key. SSL certificates have a key pair: public and private key. These are used to establish an encrypted connection.

A certificate contains the following data:
  • information about key

  • information about the owner such as domain name, company name and location. The owner is called subject. The owner (subject) of a certificate can be a person or an organization but also a computer or a device.

    and

  • the digital root signature of the issuer CA (certificate authority) that verified the content of the certificate.

What is a CA?

In a PKI, the certificate issuer is a CA.

Typically this is a company that issues certificates for customers and charges them.

CA signs certificates. CA processes the requests from people or organizations.

CA verifies the identity of the person who requests to create a certificate and the information and then creates a certificate and signs it. To sign a certificate, a CA needs a root certificate and the corresponding private key.

CA also maintains the information if an issued certificate is valid and a list of certificates that have been revoked (e.g. key has been compromised).

A CA is divided into two different types. An internal CA is organized by Self-Signed-Certificates. The differences between those Self-Signed Certificates and external Certificates (issued by an external CA company such as VeriSign) are explained in the following table.
Table 1. Internal and External CAs
Internal CA External CA
It causes internal administrative efforts to handle host certificates. (e.g., Import CA into Trusted Certification Authorities) Control of CA itself is not possible.
No financial costs per certificate. The financial cost of SSL certificates depends on the type and functionality of the certificate.
It causes administrative effort for internet-facing applications. External partners do not trust an internal CA. Trusted by most browsers (e.g., VeriSign).
The asset owner is responsible for protecting CA. The vendor of a CA is responsible for protecting its infrastructure.
Figure 1. CA ↔ Certificate Overview

Public key: The public key is used together with the private key to establish an encrypted connection.

Name of the root certificate: To sign a certificate, a CA (certificate authority) needs a root certificate and the corresponding private key.

The root signature: CA verifies the identity of the person who requests to create a certificate and the information and then creates a certificate and signs it.