Private CA concepts

Available in Classic and VPC

The public-key-based certificate system, one of the modern encryption systems, is used in various applications. SSL/TLS, foundation technologies for encrypted communication HTTPS web services, are typical examples of public-key-based certificate system. There's also the digital signature technology used for identification verification in financial services or electronic approval.
The certificate that is widely used in these examples requires a feature to constantly ensure and maintain its validity in its issuance and use. This role is played by certificate authorities (CA). CA must be able to satisfy the requirements specified by various standards and recommendations, as well as provide various features in regard to the certificate's issuing, viewing, revoking, etc.
Unlike public certificates used in universal network environments, a private certificate is efficient and more secure for use in a limited environment. Using a private certificate when defining the network trust boundary allows easy identification and authentication of objects within the boundary. It can also be effectively used for servers within a dedicated virtual network or for an encrypted channel of IoT devices. However, the CA that performs issuance and management of certificates should be able to meet various requirements as mentioned before. Therefore, it is truly difficult to build and operate a private CA required for the safe use of private certificates.
With NAVER Cloud Platform's Private CA, you can build and operate a standard-based private CA stably without spending a fortune, however complicated it may be.

You can easily build a hierarchical private CA structure with Private CA. Furthermore, CA private keys are securely protected through the Key Management Service. Various features are also provided, allowing easy issuance of a private certificate, management of a revocation list, and viewing of certificates.

Private CA resource structure

Let's look at the CA hierarchy, which is a Private CA's resources, to better understand Private CA. CA hierarchy consists of main elements such as private root CA, private intermediate CA, private certificate, etc. Private CA manages and operates the CAs created. The following displays the CA resource structure in a diagram and describes each component.

• Private root CA: This acts as the root CA at the top level of a hierarchy. It is capable of issuing certificates for an intermediate CA.
• Customer-managed private root CA: It allows using the root CA that is directly managed by a customer. In this case, the certificate for an intermediate CA that is created by Private CA can be registered by signing with the customer-owned root CA private key. For more details, refer to how to create an intermediate CA with the direct signature method in the section about creating private CAs in Using Private CA.
• Private intermediate CA: It's a CA on an intermediate level. It performs the same functions as the root CA, and is therefore capable of building a lower-level structure by signing on a CA certificate.
• Private certificate: This is the certificate issued by a CA that is managed by Private CA.

Private CA status

CA, which is a resource of a Private CA, has a series of statuses from creation to revocation. The CA's status determines features it can use in Private CA. The following describes each status of a CA in a diagram.

• Active: The normal operation status where all features of the CA are available.
• Deactivated: This is the status where all features of a CA other than viewing are suspended. You can continue to process validation for certificates that are already issued, but all other features including issuing new certificates, CA chain request, CRL, and OCSP are temporarily unavailable.
• Registration pending: This is the status before a CA certificate created through the direct signature method is registered. The CA will be automatically deleted unless a signed certificate is registered within 24 hours of creation.
• Expired: This indicates that the CA certificate's validity period has expired. The expired CA can't be used anymore. It can be permanently deleted after the user's confirmation.
• To be destroyed: A deletion request by the user has been received, and the CA is in the 72-hour grace period before it is automatically and permanently deleted. The planned deletion can be canceled. It's also possible to delete it right away without the grace period.
• Destroyed: The CA is completely revoked and discarded in Private CA. Private keys are permanently deleted and can't be restored.

Manage Private CA permissions

Even if you have the systemically designed Private CA resource structure and understood the CA's statuses well, it'd be meaningless unless it is managed and operated under strict security procedures. Private CAs and certificates must be operated safely and securely, so Private CA allows you to set admin and user permissions using sub accounts provided by Sub Account in NAVER Cloud Platform and Private CA's individual user permission management feature. Admins and users get to use the features provided by Private CA within the set range of permissions.
You have the permission to use and manage all the CA resources within a Private CA with the admin permission. This can be set in Sub Account. With the individual user permission, you can only use and manage the CAs assigned to you. This can be set in Private CA by clicking the [Manage permissions] button. The following displays Private CA permission management in a diagram.

Next stage

You have completed the concepts introduction course to use Private CA. Go to Private CA scenario, and learn an overall scenario of how to use various features provided by Private CA.

• Recommended path
  • If you'd like to see a usage sequence for Private CA: Go to Private CA scenario
  • If you'd like to complement your understanding of Private CA concepts: Go to Private CA terms