Certificate Authority - Hierarchy and Usage | Encryption Consulting (2024)

Security and safety on the internet are essential, and individuals and organizations often have a legitimate need to encrypt and verify the identity of the individuals they are communicating with.

A certificate authority is a trusted entity that issues digital certificates. A certificate authority performs three major tasks:

• Issues certificates
• Certifies the identity of the certificate owner
• Proves the validity of the certificate

Digital Certificates

A certificate, or a digital certificate, is a set of data to verify an entity’s identity. Certificates are issued by CAs and follow a specific format (X.509 certificate standard).

The information contained in a certificate is:

• Subject

  Provides the name of the computer, user, network device, or service that the CA issues the certificate to.

• Serial Number

  Provides a unique identifier for each certificate that a CA issues.

• Issuer

  Provides a distinguished name for the CA that issued the certificate.

• Valid From

  Provides the date and time when the certificate becomes valid.

• Valid To

  See Also

  What is the Certification Authority Role Service in Windows Server?What is Registration Authority (RA)?The Crucial Role of Certificate Authorities in Building Trust in a Digital WorldWhat are the two types of CA? | Encryption Consulting

  Provides the date and time when the certificate is no longer considered valid.

• Public Key

  Contains the public key of the key pair that is associated with the certificate.

• Signature Algorithm

  The algorithm used to sign the certificate.

• Signature Value

  Bit string containing the digital signature.

How Does a Certificate Authority Work?

The process for getting a certificate authority to issue a signed certificate is explained below:

1. The requestor or client creates a key pair (public and private key) and submits a request known as a certificate signing request (CSR) to a trusted certificate authority. The CSR contains the public key of the client and all the information about the requestor.
2. The CA validates whether the information on the CSR is true. If so, it issues and signs a certificate using the CA’s private key and then gives it to the requestor to use.
3. The requester can use the signed certificate for the appropriate security protocol:

Uses of a certificate authority

Certificate authorities issues various types of certificates, one of which is an SSL certificate. SSL certificates are used on servers and are the most common certificate that an everyday user would come in contact with. The three levels of an SSL certificate are

• Extended Validation (EV)
• Organization Validation (OV)
• Domain Validation (DV)

Certificates with higher levels of trust usually cost more as they require more work on the part of the certificate authority.

1. Extended Validation (EV)

   These Certificates provide the highest level of assurance from the certificate authority that it has validatedtheentity requesting the certificate.During verification of an EV SSL Certificate, the owner of the website passes athorough and globally standardized identity verification process (a set of vetting principles and policiesratified bythe CA/Browser forum) to prove exclusive rights to use a domain, confirm its legal, operational and physicalexistence,and prove the entity has been authorized the issuance of the certificate. This verified identity information isincludedwithin the certificate.

   See Also

   What is a Certificate Authority (CA)? - SSL.com

   For example: An individual requesting an EV certificate must be validated through face-to-faceinteraction with the applicant as well as review of a personal statement, one primary form of identification, suchas apassport or driver’s license, as well as two secondary forms of identification.

2. Organization Validation (OV)

   OV certificates take security assurance and require human verification of the organization’s identity.OV SSLcertificates assures visitors that they’re on a website run by an authentic business. Before an OV certificate isgranted, a member of the security team must contact the business to confirm that the owners actually requested theSSLcertificate.

3. Domain Validation (DV)

   Domain Validation certificates are the easiest to get among all the other certificates, since no manual identitychecktakes place.DV SSL Certificates require only that the applicant demonstrate ownership of the domain for which thecertificate is being requested.DV certificates can be acquired almost instantly and at low to no cost.For example: ACM Cert Manager’s DNS or Email validation.

Certificate authorities also issue other types of digital certificates:

1. Code Signing Certificates

   Code signing certificates are used by software publishersand developers to sign their software distributions. End-usersuse these to authenticate and validate software downloads from the vendor or developer.

2. Email certificates

   Enable entities to sign, encrypt, and authenticate email using the S/MIME (Secure Multipurpose Internet MailExtension)protocol for secure email attachments.

3. Device certificates

   Issued to internet of things (IOT) devices to enable secure administration and authentication of software orfirmwareupdates.

4. Object certificates

   Used to sign and authenticate any type of software object.

5. User or client certificates

   Used by individuals for various authentication purposes.

Client-Server Authentication via Certificate Authority (CA):

The CA establish a digital certificate also known as an SSL/TLS certificate that binds a public key to some information related to the entity that owns that public key. This enables any system to verify the entity-key binding of any presented certificate.

1. The first step is finding out if the CA is a trusted CA. The CA name is taken from the certificate and compared toalist of trusted CA’s provided by the web browser. If the CA name is found to be a trusted CA, the client will thengetthe CA’s corresponding public key to use in the next validation step.
2. In this step, the digital signature on the server’s certificate will be validated. It is basically the hash of theCA’sPublic key.
3. To validate the digital signature, the client hashes the CA’s public key with the same hash algorithm used by theCA toget the digital signature.
4. If the two hashes match then the digital signature is valid and the certificate is authenticated. If the hashes donotmatch then the certificate is invalid and cannot be authenticated.
5. Certificate expiration dates also need to be checked to validate the certificate.
6. Once a certificate is authenticated, the identity of the owner of the certificate will be authenticated as well.

CA Hierarchy options

CAs are hierarchical in structure, and there are generally three types of hierarchies: one-tier, two-tier, and three-tier.

Single/One-Tier Hierarchy

In this type of hierarchy, the single CA is both an Issuing CA and a Root CA. The Root CA is installed as an Enterprise CA, leaving the Root CA in the network as a member of a specific domain. In short, the Root CA is always available to issue certificates to requesting users, computers, network devices etc.

This single-tier hierarchy is not recommended for any production scenario because with this hierarchy, a compromise of this single CA equates to a compromise of the entire PKI.

Two-Tier Hierarchy

A two-tier hierarchy meets most company’s needs. This design comprises an offline Root CA and an online Subordinate issuing CA. In this model, the level of security is increased because the Root CA is detached from the network, so the private key of the Root CA is better protected from any compromises. The two-tier hierarchy also increases scalability and flexibility, since there can be multiple Issuing CAs subordinate to the Root CA. This allows CAs to exist in different geographical locations, as well as at different security levels.

Three-Tier Hierarchy

In a three-tier CA hierarchy, an offline Root CA is installed as a standalone Root CA, and one or more offline Intermediate/Policy CAs and one or more issuing CAs are installed as Enterprise Subordinate CAs. The Policy CA is configured to issue certificates to the Issuing CA which is restricted in what type of certificates it issues. One of the reasons the second layer is added in this hierarchy is that if you need to revoke a number of CAs due to a key compromise, you can perform it at the Second level, leaving other “branches from the root” available. It should be noted that Second Tier CAs in this hierarchy can, like the Root, be kept offline.

Conclusion

A certificate authority plays the key role of facilitating secure communication and building trust between a user and a resource by verifying that the organization and client in question are authentic or valid.

For a complete list of the recommendations for planning a CA hierarchy, along with the level of business impact at which you should consider implementing them, refer to Securing PKI: Appendix F: List of Recommendations by Impact Level.