PKI terms
Digital certificate
A digital certificate is a file signed by a certificate authority (CA) for an entity. It includes the following information:
Identity information of the entity.
Public key of the entity.
Name and signature of the CA.
Validity period of the certificate.
The CA's signature ensures the validity and authority of the certificate. A digital certificate binds a public key to its owner.
A digital certificate must comply with the international standard of ITU-T X.509. The most common standard is X.509 v3.
This document involves local certificate and CA certificate. A local certificate is a digital certificate signed by a CA for an entity, and a CA certificate is the certificate of a CA. If multiple CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root CA has a CA certificate signed by itself and each lower level CA has a CA certificate signed by the CA at the next higher level.
CRL
An existing certificate might need to be revoked when, for example, the username changes, the private key leaks, or the user stops the business. Revoking a certificate will remove the binding of the public key with the user identity information. In PKI, the revocation is made through certificate revocation lists (CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates that have been revoked. The CRLs contain the serial numbers of all revoked certificates and provide an effective way for checking the validity of certificates.
A CA might publish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL might degrade network performance. It uses CRL distribution points to indicate the URLs of these CRLs.
CA policy
A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email. Make sure you understand the CA policy before you select a trusted CA for certificate request, because different CAs might use different policies.