An existing certificate may need to be revoked when, for example, the user name changes, the private
key leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public
key with the user identity information. In PKI, the revocation is made through certificate revocation lists
(CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates
that have been revoked. The CRLs contain the serial numbers of all revoked certificates and provide an
effective way for checking the validity of certificates.
A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing
them in a single CRL may degrade network performance, and it uses CRL distribution points to indicate
the URLs of these CRLs.
A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking
certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice
statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and
e-mail. As different CAs may use different methods to check the binding of a public key with an entity,
make sure that you understand the CA policy before selecting a trusted CA for certificate request.
Architecture of PKI
A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in
Figure 1-1 PKI architecture
An entity is an end user of PKI products or services, such as a person, an organization, a device like a
router or a switch, or a process running on a computer.
A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues
certificates, specifies the validity periods of certificates, and revokes certificates as needed by
A registration authority (RA) is an extended part of a CA or an independent authority. An RA can
implement functions including identity authentication, CRL management, key pair generation and key
pair backup. The PKI standard recommends that an independent RA be used for registration
management to achieve higher security of application systems.