The standards and services that facilitate the use of public-key cryptography
and X.509 version 3 certificates in a networked environment are collectively
called public-key infrastructure (PKI).
In any PKI, a certificate authority (CA) is a trusted entity that issues, renews,
and revokes certificates.
An end entity (EE) is a person, router, server, or other entity that uses
a certificate to identify itself.
To participate in a PKI, an end entity must enroll, or register,
in the system. The end entity typically initiates enrollment by giving
the CA some form of identification and a newly generated public key. The
CA uses the information provided to authenticate, or confirm, the identity.
In some cases the CA may require human intervention, such as an interview
or examination of notarized documents, to authenticate the end entity (manual
approval). In other cases the information provided may be sufficient (automatic
approval). In addition to authenticating the end entity, the CA uses the
public key to ensure "proof of possession"--that is, cryptographic evidence
that the certificate request was signed by the holder of the corresponding
private key. Finally, the CA issues a certificate that associates the end
entity's identity with the public key, and signs the certificate with the
CA's own private signing key.
Netscape Certificate Management System dramatically simplifies the PKI
enrollment process. Before you deploy a PKI, however, you need to make
many decisions about the relationships between CAs and end entities and
related policies and procedures.
End entities and CAs may be in different geographic or organizational
areas or in completely different organizations that are linked through
an extranet (that is, the extension of a company's internal network, or
intranet) to selected customers, suppliers, and mobile employees via the
Internet. CAs may include third parties that provide services through the
Internet as well as the root CAs and subordinate CAs for individual organizations.
Policies and certificate content may vary from one organization to another.
For all these reasons and many others, the deployment and long-term management
of any large-scale PKI require careful advance planning and custom configuration.