Certificate Components

Certificate Components

It has been mentioned that a CA will interface to most organizations to issue their certificates and to provide a certificate of the CA as a Trusted Store. Many CAs will transfer certificates across the Internet to the subject's TA. To move from CA to CA, a cross-certification may be required. The X.509 specification (section 8.1.2) defines a cross-certificate in this way:

"A Certification Authority may be the subject of a certificate issued by another Certificate Authority. In this case, the certificate is called a cross-certificate".

CAs are the trusted third party that organizations use to manage their certificates outside of the organization. The CA will use a CRL to check for invalid certificates and send the CRL to the organization to perform any checks that they might require. The CA may also retain copies of private keys in case any are lost and key recoveries have to be performed.

When certificates are being transferred, other services besides CAs and users might be processing the certificates. One of these services is the Registration Authority (RA). The RA accomplishes the same tasks described for the CA, except that an RA may sit in front of the CA and use human intervention to accomplish some tasks such as getting a revoked certificate, registering a certificate, and reporting key compromises. At no time is the RA part of a certificate trust or certificate path .

An RA is useful to have when human intervention is needed to work with organizations to get set up for certificates. Using an RA will also offload some of the work of the CA just to deal with the trust model. The CA does get a lot of traffic from organizations. After the CA has the certificate registered, it might just deal with the Certificate Server of the CA for most of its functionality. How much human intervention is used with the certificate will depend on which Web and Applications server are being used to process the digital certificate.

Some of the Web and Application servers use a Certificate Repository for storing certificates, usually requiring an LDAP server for the data store. Some of these components may not come standard out of the box, so it might be necessary to extend some of the certificate interfaces through the use of Java. Some of the functionality that Java can provide for certificates has been discussed in the previous chapter. The previous chapter discussed manipulating the X.509 format in certificates. This chapter discusses using Java for extending and validating the certificate path.