Private CA terms

Available in Classic and VPC

There are a few terms you need to know to use Private CA. These terms and their descriptions are as follows.

CA hierarchy

When a CA processes certificate affairs, the CA uses its own certificate. The issuer of the certificate is the CA that provides a signature. A CA certificate can also be issued by another CA, which constitutes a hierarchy. The upper-level CA performs the role of issuer for the lower-level CA's certificate.

OCSP (Online Certificate Status Protocol)

Online certificate status protocol that enables quick viewing of a certificate's status instead of downloading the CRL and reading it in order to validate the certificate. It regularly refreshes only the status of whether certificates issued by a specific CA are expired or not to keep them updated.

X.509

A PKI-based certificate standard. It is the specification that defines a profile consisting of basic fields and extension fields for certificates and certificate revocation list (CRL).

Customer-managed private root CA

A root CA that is directly managed by a customer. The certificate for an intermediate CA that is created by Private CA can be registered by signing with the customer-owned root CA private key.

Public key infrastructure (PKI)

A certificate is issued when a CA signs a certificate signing request (CSR) written with the public key among the user's key pair, which is created based on the public key encryption system. A safe authentication system also requires additional processes such as deployment, management, storage, and revocation other than issuance. PKI is a complex security system environment that comprehensively defines policies and procedures as well as human and physical resources. CA is responsible for issuing and revoking certificates according to strict standards in PKI. In practice, a registration authority (RA), authorized to issue certificates on behalf of CA, often performs issuance of certificates. For example, when a financial institution uses public certificate for user authentication, it issues the user's public certificate by acting as an RA on behalf of the public CA.

Public certificate

A legally authorized public CA. Issued through a strict procedure, a public certificate can be used for user authentication with SSL/TLS or digital signature without the need for additional setups.

Resource

Refers to CAs in Private CA.

Issuer

Subject who issued the certificate.

Issuer chain

The hierarchy including the CA itself and all certificates on the upper and lower levels.

Private root CA

A CA that acts as the root CA at the top level of the CA hierarchy. It is capable of issuing certificates for an intermediate CA.

Private certificate

The certificate issued by a CA that is managed by Private CA. When using a private certificate for SSL/TLS or digital signature, additional setup is required such as adding the private CA to a trust chain, etc.

Private intermediate CA

A CA that is located on an intermediate level in a CA hierarchy. It performs the same functions as a root CA, and is capable of building a lower-level structure by signing a CA certificate.

Trust chain

The structure where certificates of various public root CAs on current OSs and web browsers are installed by default. By using a certificate issued by the root CA (or its lower-level CA) included in the trust chain, you can use HTTPS (protocol that guarantees the safe web service using SSL/TLS) communication.

Certificate authority (CA)

Subject who issues certificates. It performs the role of guaranteeing the identification of a certificate owner, as well as generally managing certificates such as updating and revoking in order to constantly maintain the validity of issued certificates.

Certificate

In order for a network system communicating multiple messages to process various requests and responses, it needs to verify remote users attempting access (user authentication) and validate the integrity of delivered messages (message authentication). A certificate is a subject used in this handshake process. With a certificate, electronic signatures identifying the user are enabled and safe network encryption channels (SSL/TLS) can be built.

Distinguished names (DN) of certificate

Subject identifier specified in an X.509 certificate. It's based on X.500, a standard defined to identify specific subjects on the network (user, device, application, service, etc.). It includes the following items as its basic fields.

• Common Name (CN): Subject (issuer)'s common name
• Organization (O): Organization or company to which the subject (issuer) belongs
• Organization Unit (OU): Department of the organization or company to which the subject (issuer) belongs
• Country (C): Country to which the subject (issuer) belongs
• State/Province (S): Region (state or province) on which the subject (issuer) is based
• Locality (L): City on which the subject (issuer) is based

Certificate revocation list (CRL)

The list of certificates revoked not because their validity period expired, but due to other reasons. The certificate revocation list is regularly updated to perform validation of the certificates.

Subject alternative name (SAN)

Information used to identify the subject in addition to DN. It is composed of extensions of the X.509 certificate. It may include fields of DNS names, IP addresses, or email addresses. Multiple objects (multi-domain) can be specified in the form of FQDN.