Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual page 785

Certificates and Authentication
CA Hierarchies
In large organizations, it may be appropriate to delegate the responsibility for
issuing certificates to several different certificate authorities. For example, the
number of certificates required may be too large for a single CA to maintain;
different organizational units may have different policy requirements; or it may be
important for a CA to be physically located in the same geographic area as the
people to whom it is issuing certificates.
It's possible to delegate certificate-issuing responsibilities to subordinate CAs. The
X.509 standard includes a model for setting up a hierarchy of CAs like that shown
in Figure J-6.
Example of a Hierarchy of Certificate Authorities
Figure J-6
In this model, the root CA is at the top of the hierarchy. The root CA's certificate is
a self-signed certificate: that is, the certificate is digitally signed by the same
entity—the root CA—that the certificate identifies. The CAs that are directly
subordinate to the root CA have CA certificates signed by the root CA. CAs under
the subordinate CAs in the hierarchy have their CA certificates signed by the
higher-level subordinate CAs.
Organizations have a great deal of flexibility in terms of the way they set up their
CA hierarchies. Figure J-6 shows just one example; many other arrangements are
possible.
Appendix J Introduction to Public-Key Cryptography 785