Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 27

Section 1.3.5.1, "CA Hierarchies"
•
Section 1.3.5.2, "Certificate Chains"
•
Section 1.3.5.3, "Verifying a Certificate Chain"
•
1.3.5.1. CA Hierarchies
In large organizations, responsibility for issuing certificates can be delegated to several different CAs.
For example, the number of certificates required may be too large for a single CA to maintain; different
organizational units may have different policy requirements; or a CA may need to be physically located
in the same geographic area as the people to whom it is issuing certificates.
These certificate-issuing responsibilities can be divided among subordinate CAs. The X.509 standard
includes a model for setting up a hierarchy of CAs, shown in
Certificate Authorities".
Figure 1.6. Example of a Hierarchy of Certificate Authorities
The root CA is at the top of the hierarchy. The root CA's certificate is a self-signed certificate; that
is, the certificate is digitally signed by the same entity that the certificate identifies. The CAs that
are directly subordinate to the root CA have CA certificates signed by the root CA. CAs under the
subordinate CAs in the hierarchy have their CA certificates signed by the higher-level subordinate
CAs.
Organizations have a great deal of flexibility in how CA hierarchies are set up;
a Hierarchy of Certificate Authorities"
1.3.5.2. Certificate Chains
CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued by
Figure 1.7, "Example of a Certificate Chain"
successive CAs.
a certificate that identifies an entity through two subordinate CA certificates to the CA certificate for
shows just one example.
How CA Certificates Establish Trust
Figure 1.6, "Example of a Hierarchy of
Figure 1.6, "Example of
shows a certificate chain leading from
17