Skip to main content
An Issuing Certification Authority (CA), part of the hierarchical Public Key Infrastructure (PKI) structure, plays a crucial role in managing and verifying digital certificates. It is entrusted with issuing, validating, and revoking digital certificates. The process begins when an entity, a person or a system, generates a pair of cryptographic keys and sends a Certificate Signing Request (CSR) containing the public key and some identifying information to the CA. The CA validates the authenticity of the request and the identity of the requester and then uses its private key to sign the public key of the entity, creating a digital certificate. This digital certificate, acting as a form of digital ID, can then be shared publicly to establish the identity of the entity and the authenticity of its public key. An Issuing CA relies on various elements to function effectively within a PKI. Each component plays a unique role in creating, managing, and verifying digital certificates. The key components of an Issuing CA include the following elements:
ComponentDescription
CA private key Used to sign certificates
CA public key Embedded in its own certificate for verifying the signatures
Digital certificatesBind an entity’s identity to its public key
Certificate Signing Request (CSR) A request submitted by an entity seeking a digital certificate
Registration Authority (RA) Assists the CA by validating entities’ identities

CA private key

The private key of an Issuing CA is one of the most critical assets in a PKI. It signs digital certificates, and you must keep it highly secure to maintain the trustworthiness of the PKI. If the private key is compromised, the integrity of all certificates issued by that CA is in jeopardy. Access to the private key should be tightly controlled and monitored. On the KMES Series 3, the private key is always stored securely, either as an HSM Trusted key (which is stored in the KMES database encrypted with the MFK or PMK) or as an HSM Protected key (which is stored inside the internal HSM).

Public key

The public key of an Issuing CA is contained within its own certificate, which is signed by the higher authority in the PKI hierarchy, typically the Root CA. This key verifies the CA’s digital signature on the certificates it issues, thus allowing anyone to verify the authenticity of a certificate. The CA public key is freely distributed and embedded in all certificates it issues.

Digital certificates

Digital certificates, often based on the X.509 standard, are the core product of an Issuing CA. These are electronic documents that contain the public key of an entity and bind this key to the identity of that entity. The certificate includes information like the issuer’s name, the entity’s name, the public key, an expiration date, and the digital signature of the Issuing CA. Digital certificates allow third parties to verify the identity of the certificate holder and the authenticity of the public key contained within the certificate.

Certificate Signing Request (CSR)

When an entity wants to obtain a digital certificate, it generates a pair of cryptographic keys (private and public) and submits a CSR to the Issuing CA. The CSR contains the entity’s public key and some identifying information, which may include the entity’s name, location, domain, email, and other attributes depending on the type of certificate being requested. The entity signs the CSR with its private key, providing the Issuing CA with a way to verify the ownership of the public key included in the request.

Registration Authority (RA)

A Registration Authority (RA) is an essential component in a PKI that acts as a proxy for the CA in the certificate issuance process. The RA is responsible for verifying the identity of entities requesting a digital certificate before the CA issues the certificates. It conducts all the necessary checks, and then either approves or denies the CSR. The RA does not have the ability to sign certificates; its primary role is to offload the identity verification tasks from the CA.