Certificate Authority and Hierarchy

11 Sep 2020

Certificate Authority and Hierarchy

Read time: 15 mins

Security and safety on the internet are essential, and individuals and organizations often have a legitimate need to encrypt and verify the identity of the individuals they are communicating with.

A certificate authority is a trusted entity that issues digital certificates. A certificate authority performs three major tasks:

  • Issues certificates
  • Certifies the identity of the certificate owner
  • Proves the validity of the certificate

Digital Certificates

A certificate, or a digital certificate, is a set of data to verify an entity’s identity. Certificates are issued by CAs and follow a specific format (X.509 certificate standard).

The information contained in a certificate is:

  • Subject

    Provides the name of the computer, user, network device, or service that the CA issues the certificate to.

  • Serial Number

    Provides a unique identifier for each certificate that a CA issues.

  • Issuer

    Provides a distinguished name for the CA that issued the certificate.

  • Valid From

    Provides the date and time when the certificate becomes valid.

  • Valid To

    Provides the date and time when the certificate is no longer considered valid.

  • Public Key

    Contains the public key of the key pair that is associated with the certificate.

  • Signature Algorithm

    The algorithm used to sign the certificate.

  • Signature Value

    Bit string containing the digital signature.

How Does a Certificate Authority Work?

The process for getting a certificate authority to issue a signed certificate is explained below:

  1. The requestor or client creates a key pair (public and private key) and submits a request known as a certificate signing request (CSR) to a trusted certificate authority. The CSR contains the public key of the client and all the information about the requestor.
  2. The CA validates whether the information on the CSR is true. If so, it issues and signs a certificate using the CA’s private key and then gives it to the requestor to use.
  3. The requester can use the signed certificate for the appropriate security protocol:

Uses of a certificate authority

Certificate authorities issues various types of certificates, one of which is an SSL certificate. SSL certificates are used on servers and are the most common certificate that an everyday user would come in contact with. The three levels of an SSL certificate are

  • Extended Validation (EV)
  • Organization Validation (OV)
  • Domain Validation (DV)
Certificates with higher levels of trust usually cost more as they require more work on the part of the certificate authority.
  1. Extended Validation (EV)

    These Certificates provide the highest level of assurance from the certificate authority that it has validated the entity requesting the certificate.

    During verification of an EV SSL Certificate, the owner of the website passes a thorough and globally standardized identity verification process (a set of vetting principles and policies ratified by the CA/Browser forum) to prove exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove the entity has been authorized the issuance of the certificate. This verified identity information is included within the certificate.

    For example: An individual requesting an EV certificate must be validated through face-to-face interaction with the applicant as well as review of a personal statement, one primary form of identification, such as a passport or driver’s license, as well as two secondary forms of identification.

  2. Organization Validation (OV)

    OV certificates take security assurance and require human verification of the organization’s identity.

    OV SSL certificates assures visitors that they’re on a website run by an authentic business. Before an OV certificate is granted, a member of the security team must contact the business to confirm that the owners actually requested the SSL certificate.

  3. Domain Validation (DV)

    Domain Validation certificates are the easiest to get among all the other certificates, since no manual identity check takes place.

    DV SSL Certificates require only that the applicant demonstrate ownership of the domain for which the certificate is being requested.

    DV certificates can be acquired almost instantly and at low to no cost.

    For example: ACM Cert Manager’s DNS or Email validation.

Certificate authorities also issue other types of digital certificates: 

  1. Code Signing Certificates

    Code signing certificates are used by software publishers and developers to sign their software distributions. End-users use these to authenticate and validate software downloads from the vendor or developer.

  2. Email certificates

    Enable entities to sign, encrypt, and authenticate email using the S/MIME (Secure Multipurpose Internet Mail Extension) protocol for secure email attachments.

  3. Device certificates

    Issued to internet of things (IOT) devices to enable secure administration and authentication of software or firmware updates.

  4. Object certificates

    Used to sign and authenticate any type of software object.

  5. User or client certificates

    Used by individuals for various authentication purposes.

Client-Server Authentication via Certificate Authority (CA):

The CA establish a digital certificate also known as an SSL/TLS certificate that binds a public key to some information related to the entity that owns that public key. This enables any system to verify the entity-key binding of any presented certificate.

Step 1
The first step is finding out if the CA is a trusted CA. The CA name is taken from the certificate and compared to a list of trusted CA’s provided by the web browser. If the CA name is found to be a trusted CA, the client will then get the CA’s corresponding public key to use in the next validation step.
Step 2
In this step, the digital signature on the server’s certificate will be validated. It is basically the hash of the CA’s Public key.
Step 3
To validate the digital signature, the client hashes the CA’s public key with the same hash algorithm used by the CA to get the digital signature.
Step 4
If the two hashes match then the digital signature is valid and the certificate is authenticated. If the hashes do not match then the certificate is invalid and cannot be authenticated.
Step 5
Certificate expiration dates also need to be checked to validate the certificate.
Step 6
Once a certificate is authenticated, the identity of the owner of the certificate will be authenticated as well.

CA Hierarchy options:

CAs are hierarchical in structure, and there are generally three types of hierarchies: one-tier, two-tier, and three-tier.

Single/One-Tier Hierarchy:

In this type of hierarchy, the single CA is both an Issuing CA and a Root CA. The Root CA is installed as an Enterprise CA, leaving the Root CA in the network as a member of a specific domain. In short, the Root CA is always available to issue certificates to requesting users, computers, network devices etc.

This single-tier hierarchy is not recommended for any production scenario because with this hierarchy, a compromise of this single CA equates to a compromise of the entire PKI.

Two-Tier Hierarchy:

A two-tier hierarchy meets most company’s needs. This design comprises an offline Root CA and an online Subordinate issuing CA. In this model, the level of security is increased because the Root CA is detached from the network, so the private key of the Root CA is better protected from any compromises. The two-tier hierarchy also increases scalability and flexibility, since there can be multiple Issuing CAs subordinate to the Root CA. This allows CAs to exist in different geographical locations, as well as at different security levels.

Three-Tier Hierarchy:

In a three-tier CA hierarchy, an offline Root CA is installed as a standalone Root CA, and one or more offline Intermediate/Policy CAs and one or more issuing CAs are installed as Enterprise Subordinate CAs. The Policy CA is configured to issue certificates to the Issuing CA which is restricted in what type of certificates it issues. One of the reasons the second layer is added in this hierarchy is that if you need to revoke a number of CAs due to a key compromise, you can perform it at the Second level, leaving other “branches from the root” available. It should be noted that Second Tier CAs in this hierarchy can, like the Root, be kept offline.

Conclusion

A certificate authority plays the key role of facilitating secure communication and building trust between a user and a resource by verifying that the organization and client in question are authentic or valid.

For a complete list of the recommendations for planning a CA hierarchy, along with the level of business impact at which you should consider implementing them, refer to Securing PKI: Appendix F: List of Recommendations by Impact Level.

Author

Parnashree Saha is a data protection senior consultant at Encryption Consulting LLC working with PKI, AWS cryptographic services, GCP cryptographic services and other data protection solutions.