5.2 Public key certificate for RSA scheme
In its turn , the entity requiring an EMV ¢ public key certificate also runs an RSA scheme, regardless of whether it is used for digitally signing information (see Appendix D, Section D.3) or for creating a digital envelope that encrypts a PIN using the asymmetric encryption mechanism (see Appendix D, Sections D.1.2 and D.5.5).
Correspondingly, the parameters entity public key modulus and entity public key exponent submitted for certification correspond to the modulus n and the public exponent e , respectively, of an RSA scheme. For this reason the Public Key Algorithm Indicator ”which is an item in the certificate specifying the type of algorithm that uses the certified parameters ”is set at the moment to a unique value 01h corresponding to the RSA algorithm.
The entity private signing key, which is denoted ( n _{ S } , d _{ S } ) in the RSA context, can be used for generating a digital signature on a message. Everyone having the corresponding entity public verification key, which is denoted ( n _{ S } , e _{ S } ) in the RSA context, and (part of) the message that is signed can verify the correctness of the signature.
The entity can use the entity private decryption key, which is denoted ( n _{ E } , d _{ E } ) in the RSA context, to decrypt any digital envelope computed with the corresponding entity public encryption key, which is denoted ( n _{ E } , e _{ E } )in the RSA context.
Note that when the storage space of the entity allows it, an entity keeps separate key pairs (private key/public key) for signing and encrypting [i.e., (( n _{ S } , d _{ S } )/( n _{ S } , e _{ S } )) and (( n _{ E } , d _{ E } )/( n _{ E } , e _{ E } )), respectively].
5.3 Entities and certifiers
In the EMV 2000 specifications there are two types of entities requiring certificates on their public keys: the issuer of a card containing an EMV ¢ debit/credit application and the ICC.
5.3.1 Issuer requires a public key certificate
When the issuer is the entity that requires an EMV ¢ public key certificate, the material to be certified is the issuer public key, which consists of the issuer public key modulus , denoted n _{ I } with the bytelength N _{ I } , and the Issuer Public Key Exponent (tag 9F32), denoted e _{ I } . The corresponding certificate is referred to as the Issuer Public Key Certificate (tag 90). The actual upper limitation on N _{ I } is 248 bytes, while the value of e _{ I } can be either 3 or 2 ^{ 16 } + 1. In this case, the certificate format, which is an item of the certificate content that distinguishes among several types of certificate formats, is set to 02h.
In this case the certifier is named the Certification Authority (CA), which runs an RSA digital signature scheme with recovery (see Appendix F, Section F.3). This scheme is parameterized with the certification authority public key modulus, denoted n _{ CA } with the bytelength N _{ CA } , the certification authority public key exponent, denoted e _{ CA } , and the certification authority secret key exponent, denoted d _{ CA } . The actual upper limitation on N _{ CA } is 248 bytes, while the value of e _{ CA } can be either 3 or 2 ^{ 16 } + 1. Moreover, the relationship between N _{ I } and N _{ CA } has to be N _{ I } ‰ N _{ CA } .
A card association or a payment system operator proposing an EMV ¢ debit/credit application can play the role of the CA.
5.3.2 ICC requires a public key certificate
When the ICC is the entity that requires an EMV ¢ public key certificate, the material to be certified can be:

The ICC public key modulus, denoted n _{ IC } with the bytelength N _{ IC } , and the ICC Public Key Exponent (tag 9F47), denoted e _{ IC } . The ICC public key consists of the pair ICC public key modulus and ICC Public Key Exponent. The corresponding certificate is referred to as the ICC Public Key Certificate (tag 9F46). The actual limitation on N _{ IC } is 248 bytes, while the value of e _{ IC } can be either 3 or 2 ^{ 16 } + 1. In this case, the certificate format is set to 04h. The associated RSA scheme is used by the card for digitally signing information that includes at least a random number received from the terminal. This is performed with the corresponding ICC private key, consisting of the pair ICC public key modulus n _{ IC } and the ICC secret key exponent d _{ IC } .

The ICC PIN encipherment public key modulus, denoted n _{ PE } with the bytelength N _{ PE } , and the ICC PIN Encipherment Public Key Exponent (tag 9F2E), denoted e _{ PE } . The ICC PIN encipherment public key consists of the pair ICC PIN encipherment public key modulus and ICC PIN Encipherment Public Key Exponent. The corresponding certificate is referred to as the ICC PIN Encipherment Public Key Certificate (tag 9F2D). The actual upper limitation on N _{ PE } is 248 bytes, while the value of e _{ PE } can be either 3 or 2 ^{ 16 } + 1. In this case, the certificate format is set also to 04h. The terminal uses the ICC PIN encipherment public key ( n _{ PE } , e _{ PE } ) for creating a digital envelope that includes the cardholder's PIN, which is sent encrypted for local verification in the card. The card uses the corresponding ICC PIN encipherment private key ( n _{ PE } , d _{ PE } ), for decrypting the digital envelope. The parameter d _{ PE } is referred to as the ICC PIN encipherment secret key exponent.
In this case the certifier is the card's issuer, which runs an RSA digital signature scheme with recovery (see Appendix F, Section F.3). The scheme is parameterized with the issuer public key modulus ( n _{ I } ), the Issuer Public Key Exponent ( e _{ I } ), and the issuer secret key exponent, denoted d _{ I } . The issuer private key, which consists of the issuer public key modulus and the issuer secret key exponent ( n _{ I } , d _{ I } ), is used for signing the certificates for the ICC. Note that N _{ I } , N _{ IC } , and N _{ PE } , should respect the relations N _{ IC } ‰ N _{ I } and N _{ PE } ‰ N _{ I } .