Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual page 483

How CA Certificates Establish Trust
organizational units may have different profile requirements; or a CA may need to be physically
located in the same geographic area as the people to whom it is issuing certificates.
These certificate-issuing responsibilities can be divided among subordinate CAs. The X.509 standard
Figure B.6, "Example of a Hierarchy of
includes a model for setting up a hierarchy of CAs, shown in
Certificate Authorities".
Figure B.6. Example of a Hierarchy of Certificate Authorities
The root CA is at the top of the hierarchy. The root CA's certificate is a self-signed certificate; that
is, the certificate is digitally signed by the same entity that the certificate identifies. The CAs that
are directly subordinate to the root CA have CA certificates signed by the root CA. CAs under the
subordinate CAs in the hierarchy have their CA certificates signed by the higher-level subordinate
CAs.
Figure B.6, "Example of
Organizations have a great deal of flexibility in how CA hierarchies are set up;
a Hierarchy of Certificate Authorities"
shows just one example.
B.4.6.2. Certificate Chains
CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued by
Figure B.7, "Example of a Certificate Chain"
successive CAs. shows a certificate chain leading from
a certificate that identifies an entity through two subordinate CA certificates to the CA certificate for
Figure B.6, "Example of a Hierarchy of Certificate
the root CA, based on the CA hierarchy shown in
Authorities".
463