PKI Glossary
- CA
The Certificate Authority is the trusted entity whose public key is already known and is able to issue certificates and CRLs
- Certificate
This is a public key and ID bound by a CA signature
- CRL
Certificate Revocation List is a list of revoked certificates so that the CA can identify any enquiry on such older revoked certificates and respond as such.
- CSR
A Certificate Signing Request is a formal request asking the CA to sign a certificate. It contains the public key of the entity requesting the certificate and some information about the entity. The signed certificate is then returned back to the requester once the CA has generated the certificate. A CSR is always signed with the private key corresponding to the public key it carries.
- Cross Certificate
This is a CA certificate issued by an external CA to the primary PKI hierarchy. It is used to connect two PKIs and thus usually comes in pairs.
- DER
The Distinguished Encoding Rules is a binary file format for Windows.
- DN
Distinguished Name are personal details for issuing a signed certificate.
- User Certificate
This is an End User Certificate issued for purposes such as email protection, server authentication, client authentication, code signing, etc. A user certificate cannot be used to sign other certificates.
- Intermediate CA
This is the CA below the root CA who can issue CA certificates but not sign any certificates.
- PEM
The Privacy Enhanced Mail is a base-64 encoded text format for files which includes header and footer lines. Historically, its main purpose was for signing emails, but now is used for multiple security purposes. This is the preferred format of OpenSSL and other software based on OpenSSL.
- PKI
The Public Key Infrastructure is a security architecture where trust is conveyed through the signature of a trusted CA.
- Root CA
This is the CA at the root of a PKI hierarchy who only issues certificates.
- Root Certificate
This is a CA self-signed certificate at the root of the PKI hierarchy. It serves as the PKI’s trust anchor.
- RSA
Ron Rivest, Adi Shamir and Leonard Adleman who first publicly described this algorithm in 1978.
- SAN List
The Subject Alternative Name is an X.509 extension to list all hostnames tied to a certificate. This list can be placed in a separate text file with the entry subjectAltName =
- Signing CA
This is the CA at the bottom of the PKI hierarchy whose only responsibility is to issue user certificates.