1-2
CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top
level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate
signed by the CA at the next higher level.
CRL
An existing certificate may need to be revoked when, for example, the user name changes, the private
key leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public
key with the user identity information. In PKI, the revocation is made through certificate revocation lists
(CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates
that have been revoked. The CRLs contain the serial numbers of all revoked certificates and provide an
effective way for checking the validity of certificates.
A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing
them in a single CRL may degrade network performance, and it uses CRL distribution points to indicate
the URLs of these CRLs.
CA policy
A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking
certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice
statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and
e-mail. As different CAs may use different methods to check the binding of a public key with an entity,
make sure that you understand the CA policy before selecting a trusted CA for certificate request.
Architecture of PKI
A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in
Figure 1-1
.
Figure 1-1
PKI architecture
Entity
An entity is an end user of PKI products or services, such as a person, an organization, a device like a
switch, or a process running on a computer.