Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 22

Chapter 1. Introduction to Public-Key Cryptography
Certificate Type
CA certificates
Object-signing certificates
Table 1.1. Common Certificates
Section 1.3.3.2.1, "CA Signing Certificates"
•
Section 1.3.3.2.2, "Other Signing Certificates"
•
Section 1.3.3.2.3, "SSL Server and Client Certificates"
•
Section 1.3.3.2.4, "User Certificates"
•
Section 1.3.3.2.5, "Dual-Key Pairs"
•
Section 1.3.3.2.6, "Cross-Pair Certificates"
•
1.3.3.2.1. CA Signing Certificates
Every Certificate Manager has a CA signing certificate with a public/private key pair it uses to sign the
certificates and CRLs it issues. This certificate is created and installed when the Certificate Manager is
installed.
The Certificate Manager's status as a root or subordinate CA is determined by whether its CA signing
certificate is self-signed or is signed by another CA. Self-signed root CAs set the policies they use to
issue certificates, such as the subject names, types of certificates that can be issued, and to whom
certificates can be issued. A subordinate CA has a CA signing certificate signed by another CA,
usually the one that is a level above in the CA hierarchy (which may or may not be a root CA). If the
Certificate Manager is a subordinate CA in a CA hierarchy, the root CA's signing certificate must
be imported into individual clients and servers before the Certificate Manager can be used to issue
certificates to them.
The CA certificate must be installed in a client if a server or user certificate issued by that CA is
installed on that client. The CA certificate confirms that the server certificate can be trusted. Ideally, the
certificate chain is installed.
12