Certification Authorities

A certification authority (CA) is an organization that acts as a trusted third party to vouch for the authenticity of public keys within a PKI. When implementing a PKI, organizations can choose to either insource or outsource CA services. This decision needs to be made carefully since it takes a lot of planning to execute CA services. You need to develop a security policy; plan for the cost of the infrastructure; educate users; train staff to administer the certificate server (if insourcing); consider legal issues; and plan for every scenario in terms of how the certificates are issued, renewed, and revoked, if need be.

Outsourcing of CA services is often the preferred option if you have several thousand or more business partners or customers and you are satisfied with the third-party CA's experience and level of service for your specific applications. Examples of third-party CAs include GTE and VeriSign. Insourcing CA services is an excellent choice if you have a limited set of business partners (that is, hundreds or perhaps a few thousand) and if your data is highly sensitive. This is typical of extranet applications. In this case, you might well want to use Certificate Server and become your own CA.