Certificate Chains/Hierarchies
In some organisation, you may
want to delegate the responsibility for issuing certificates. For example,
the certificate base may be too large for a single certificate authority
(CA) to maintain. Also, there may be geographical separations between
organisational units, or you may want to apply different issuing policies to
different sections of the organisation.
You can delegate this
responsibility by setting up subordinate CAs. The X.509 standard includes a
model for setting up a hierarchy of CAs. In this model, the root CA is at
the top of the hierarchy and has a self-signed certificate. The CAs that are
directly subordinate to the root CA have CA certificates signed by the root
CA. CAs under the subordinate CAs in the hierarchy have their CA
certificates signed by the subordinate CAs.
A certificate chain consists of
a certificate, the certificate of the CA that signed the certificate, the
certificate of the CA that signed the CA certificate, and so forth. A
certificate chain ends with the CA certificate of the root CA.
The diagram below shows the
hierarchical structure of Certificate Chains. To verify a certificate lower
in the hierarchy, each subordinate CA is deemed untrustworthy, so validation
requests are made to the next CA in the chain. Each subordinate CA is deemed
untrustworthy as the verification request passes up the chain. The process
continues until the Root level is reached, and verification is granted since
they are deemed as a trusted CA. Even though the responsibility for issuing
certificates has been delegated, it is always the Root CA who is wholly
responsible for verification of the certificate, thus maintaining security.
|
