... | ... | @@ -26,12 +26,15 @@ Certificate Authority (CA) requirements (such as the hash algorithm used for the |
|
|
|
|
|
There are 3 types of certificates to provide to the PKI:
|
|
|
* The "trusted issuers" are Certificate Authorities (CAs) from which issued certificates are also trusted. All the certificates of the signing chain including the root CA must be provided.
|
|
|
* The "issued certificates" are certificates issued by untrusted CA. These certificates are considered themselves trustworthy (if the certificate properties and its signature are both valid).
|
|
|
* The "issued certificates" are certificates issued by untrusted CA or self-issued. These certificates are considered themselves trustworthy (if the certificate properties and its signature are both valid).
|
|
|
* The "untrusted issuers" are CAs which are used to verify the signing chain of the "issued certificates". Each issued certificate must have its whole signing CA chain in the untrusted issuers or the trusted issuers up to the root CA.
|
|
|
|
|
|
Note: the difference between trusted **issuers** and trusted **issued** certificates is that issued certificates are trusted on a one by one basis, whereas the trusted issuer may emit a large number of trusted certificates.
|
|
|
|
|
|
Note 2: each CA shall be provided with an associated Certificate Revocation List (CRL) to be considered valid by the PKI. See details on CRL list below.
|
|
|
|
|
|
Note 3: certificates issued by trusted CA don't need to be provided to the PKI.
|
|
|
|
|
|
In addition, there are two more concepts:
|
|
|
* A link (or intermediate) CA is part of the certificate validation chain. All links between a certificate and a root certificate must be provided (and sorted in child to parent order).
|
|
|
* A root CA is always trusted, even if there are other root CAs that signed it. Hence the parent of root CAs will never be checked, and the validation stops on root CAs.
|
... | ... | |