Confirmed users, Administrators
5,526
edits
CA/Subordinate CA Checklist: Difference between revisions
→Subordinate CAs Operated by Third Parties For Internal Use
| Line 1: | Line 1: | ||
== Terminology == | |||
The following terminology will be used in this wiki page regarding subordinate CAs. | |||
'''In-House:''' The subordinate CA is operated by the same organization operating the root CA. | |||
'''Third-Party:''' The subordinate CA is operated by a third party external to the root CA organization. | |||
'''Private:''' The subordinate CA issues certificates to entities affiliated with the sub-CA organization. | |||
'''Public:''' The subordinate CA issues certificates to entities not affiliated with the sub-CA organization. | |||
There are four possible combinations: | |||
# '''In-house public''' subordinate CAs. This is the typical case where a commercial CA establishes one or more internally-operated subordinates to offer certificates of a particular type (e.g., EV vs. non-EV certificates, or SSL certificates vs. email certificates) to the general public. | |||
# '''Third-party public''' subordinate CAs. This is the situation we've seen with some government-sponsored root CAs (and perhaps in other cases as well -- I can't recall exactly) where the organization running the root CA delegates to other organizations the task of issuing end entity certificates to the general public. For example, there might be a separate organization authorized to issue certificates for general business purposes, another organization issuing certificates specifically within a vertical industry sector like financial services, a third organization to issue certificates to individuals, and so on. | |||
# '''In-house private''' subordinate CAs. This case would cover CA organizations that establish subordinate CAs for internal testing or other internal purposes. | |||
# '''Third-party private''' (or enterprise) subordinate CAs. This is the typical case where a commercial CAs has enterprise customers who want to operate their own CAs for internal purposes, e.g., to issue SSL server certificates to systems running intranet applications, to issue individual SSL client certificates for employees or contractors for use in authenticating to such applications, and so on. | |||
== Subordinate CAs Operated by Third Parties For Internal Use == | == Subordinate CAs Operated by Third Parties For Internal Use == | ||