PKI Glossary

CA

The Certificate Authority is the trusted entity whose public key is already known and is able to issue certificates and CRLs

Certificate

This is a public key and ID bound by a CA signature

CRL

Certificate Revocation List is a list of revoked certificates so that the CA can identify any enquiry on such older revoked certificates and respond as such.

CSR

A Certificate Signing Request is a formal request asking the CA to sign a certificate. It contains the public key of the entity requesting the certificate and some information about the entity. The signed certificate is then returned back to the requester once the CA has generated the certificate. A CSR is always signed with the private key corresponding to the public key it carries.

Cross Certificate

This is a CA certificate issued by an external CA to the primary PKI hierarchy. It is used to connect two PKIs and thus usually comes in pairs.

DER

The Distinguished Encoding Rules is a binary file format for Windows.

DN

Distinguished Name are personal details for issuing a signed certificate.

User Certificate

This is an End User Certificate issued for purposes such as email protection, server authentication, client authentication, code signing, etc. A user certificate cannot be used to sign other certificates.

Intermediate CA

This is the CA below the root CA who can issue CA certificates but not sign any certificates.

PEM

The Privacy Enhanced Mail is a base-64 encoded text format for files which includes header and footer lines. Historically, its main purpose was for signing emails, but now is used for multiple security purposes. This is the preferred format of OpenSSL and other software based on OpenSSL.

PKI

The Public Key Infrastructure is a security architecture where trust is conveyed through the signature of a trusted CA.

Root CA

This is the CA at the root of a PKI hierarchy who only issues certificates.

Root Certificate

This is a CA self-signed certificate at the root of the PKI hierarchy. It serves as the PKI’s trust anchor.

RSA

Ron Rivest, Adi Shamir and Leonard Adleman who first publicly described this algorithm in 1978.

SAN List

The Subject Alternative Name is an X.509 extension to list all hostnames tied to a certificate. This list can be placed in a separate text file with the entry subjectAltName =

Signing CA

This is the CA at the bottom of the PKI hierarchy whose only responsibility is to issue user certificates.