VeriFone V200c Reference Manual page 40

F A
ILE UTHENTICATION
Planning for File Authentication
40
V200 R
C EFERENCE
Hierarchical Relationships Between Certificates
All digital certificates are hierarchically related to one another. Under the rules of
the certificate hierarchy managed by the Verifone CA, a lower-level certificate
must always be authenticated under the authority of a higher-level certificate. This
rule ensures the overall security of VeriShield.
To manage hierarchical relationships between certificates, certificate data is
stored in terminal memory in a special structure called a certificate tree. New
certificates are authenticated based on data stored in the current certificate tree.
This means that a new certificate can only be authenticated under a higher-level
certificate already resident in the terminal's certificate tree. This requirement can
be met in two ways:
•
The higher-level certificate may have already been downloaded to the terminal
in a previous or separate operation.
•
The higher-level certificate can be downloaded together with the new
certificate as part of the same data transfer operation.
A higher-level production certificates is downloaded into each terminal at
manufacture. When you take a new device out of its shipping packaging,
certificate data is already stored in the terminal's certificate tree.
Typically, a sponsor requests an additional set of digital certificates from the
Verifone CA to establish sponsor and signer privileges. This additional set of
certificates is then downloaded to the terminal when the device is being prepared
for deployment. When this procedure is complete, the device is called a
deployment device.
Adding New Certificates
When you add a new certificate file to a terminal, the system detects it by filename
extension (*.crt). The device then attempts to authenticate the certificate under
the authority of the resident higher-level certificate stored in the terminal's
certificate tree or one being downloaded with the new certificate.
In a batch download containing multiple certificates, each lower-level certificate
must be authenticated under an already-authenticated, higher-level certificate.
Whether or not the data a new certificate contains is added to the terminal's
certificate tree depends on its successfully authentication. The following points
explain how certificates are processed:
•
If a new certificate is successfully authenticated, the information it contains is
automatically stored in the terminal's certificate tree. The corresponding
certificate file (*.crt) is not retained.
G
UIDE