Certification authority (CA) certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs.
A certificate that is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust for a CA hierarchy.
Once the trusted root has been established, it can be used to authorize subordinate CAs to issue certificates on its behalf.
CA certificates can also be used to establish trust relationships between CAs in two different public key infrastructure (PKI) hierarchies.
In all of these cases, the CA certificate is critical to defining the certificate path and usage restrictions for all end-entity certificates issued for use in the PKI.
The appropriate configuration of CA certificates for the organization's needs is one of the most powerful tools that an organization has to implement appropriate PKI security. CA certificates contain special configuration data that regulate the CAs to which they are issued. These configuration options can:
- Define the organizational namespace in which
certificates issued by the subordinate CA can be issued and
trusted.
- Specify the acceptable uses of certificates
issued by the subordinate CA.
- Define the issuance guidelines that must be
followed in order for a certificate issued by the subordinate CA to
be considered valid.
- Create a managed trust between separate
certification hierarchies.