Cloud Key Management

Key Management – Recommendations and Best Practices

Cryptographic keys are a vital part of any security system. They do everything from data encryption and decryption to user authentication. The compromise of any cryptographic key could lead to the collapse of an organization’s entire security infrastructure, allowing the attacker to decrypt sensitive data, authenticate themselves as privileged users, or give themselves access to other sources of classified information. Luckily, proper management of keys and their related components can ensure the safety of confidential information.

Key Management is the process of putting certain standards in place to ensure the security of cryptographic keys in an organization. Key Management deals with the creation, exchange, storage, deletion, and refreshing of keys, as well as the access members of an organization have to keys.

Primarily, symmetric keys are used to encrypt and decrypt data-at-rest, while data-in-motion is encrypted and decrypted with asymmetric keys. Symmetric keys are used for data-at-rest since symmetric encryption is quick and easy to use, which is helpful for clients accessing a database, but is less secure.

Since a more complicated and secure encryption is needed for data-in-motion, asymmetric keys are used.

The way symmetric key systems work and steps listed below.

  1. A user contacts the storage system, a database, storage, etc, and requests encrypted data
  2. The storage system requests the data encryption key (DEK) from the key manager API, which then verifies the validity of the certificates of the key manager API and the key manager
  3. A secure TLS connection is then created, and the key manager uses a key encryption key (KEK) to decrypt the DEK which is sent to the storage systems through the key manager API
  4. The data is then decrypted and sent as plaintext to the user

Asymmetric key systems work differently, due to their use of key pairs. The steps follow below:

  1. The sender and recipient validate each other’s certificates via either their private certificate authority (CA) or an outside validation authority (VA)
  2. The recipient then sends their public key to the sender, who encrypts the data to be sent with a one-time use symmetric key which is encrypted by the recipient’s public key and sent to the recipient along with the encrypted plaintext
  3. The recipient decrypts the one-time use symmetric key with their own private key, and proceeds to decrypt the data with the unencrypted one-time use key

While these key systems do keep data secure, that makes the cryptographic keys the biggest sources of security concerns for an organization, which is where key management comes in.

To ensure strong security and uniformity across all government organizations, the National Institute of Standards and Technology (NIST) has created Federal Information Processing Standards (FIPS) and NIST Recommendations, referred to as NIST Standards, for sensitive and unclassified information in government organizations. These standards have security methods approved for all government data that is unclassified and sensitive.

Since these standards are approved for all of the government’s sensitive and unclassified data, this means they are best-practice methods for cryptographic key protection for non-governmental companies.

NIST Standards

The first security issue the NIST Standards review are cryptographic algorithms which are used for the encryption of data. Previously in this blog, symmetric and asymmetric cryptographic algorithms were discussed, but the NIST Standards only approve of a few specific types of these algorithms.

For symmetric algorithms, block cipher-based algorithms, such as AES, and hash function-based algorithms, like SHA-1 or SHA-256, are approved. Block cipher based algorithms iterate through a series of bits called blocks and uses different operations, such as XOR, to permutate the blocks over a series of rounds, leading to the creation of a ciphertext.

Hash function-based algorithms use hashes, which are one-way functions, to generate hash data. Asymmetric algorithms are all accepted, NIST says that “the private key should be under the sole control of the entity that “owns” the key pair,” however.Cryptographic hash functions, which do not use cryptographic keys, and Random Bit Generators (RBGs), which are used for key material generation, are also approved by NIST Standards. A list of all algorithms approved by NIST Standards can be found in FIPS 180 and SP 800-90 for hash functions and RBG respectively.
Also discussed by NIST Standards is how cryptographic keys should be used. The most important recommendation is that a unique key should be created at every key creation. A key should not be used for both authentication and decryption, a user should have a separate key for each use. NIST Standards gives advice on what a cryptoperiod should be set to. A cryptoperiod is the time span that a key can be used for its given purpose before it must be renewed or, preferably, replaced with a new key. For asymmetric-key pairs, each key has its own cryptoperiod. The cryptoperiod of the key used to create a digital signature is called the originator-usage period, while the other cryptoperiod is called the recipient-usage period. NIST Standards suggests that the two cryptoperiods begin at the same time, but the recipient-usage period can extend beyond the originator-usage period, not vice versa.


Key Management is one of the essential portions of cybersecurity, and therefore should be executed with all the best-practices in mind. Luckily, the government publishes the NIST Standards which recommend the best ways to minimize security risks related to cryptographic keys.

The NIST Standards discuss how keys should be used, what cryptographic algorithms are approved for government work, and what cryptoperiods for keys should be set to. As NIST Standards are updated, it is worth keeping track of to ensure your security system is always up to date.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Riley Dickens is a Consultant at Encryption Consulting, working with PKIs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Object Identifiers (OIDs) are like the Internet domain name space, organizations that need such an identifier may have a root OID assigned to them. They can thus create their own sub OIDs much like they can create subdomains. A large and standardized set of OIDs already exists.

An OID corresponds to a node in the “OID tree” or hierarchy, which is formally defined using the ITU’s OID standard, X.660. The root of the tree contains the following three arcs:

  1. ITU-T
  2. ISO
  3. joint-iso-itu-t

Table of Contents

What is an Object Identifier (OID)?

An OID, or Object Identifier, can be applied to each CPS (Certificate Practice statement). The OID is an identifier that is tied to the CPS or, if multiple policies are defined, to each CA’s certificate policy.

Object Identifiers are controlled by IANA and you need to register a Private Enterprise Number (PEN), or OID arc under namespace. Here is the PEN registration page:

When acquired, your OID namespace will look as follows:{PENnumber}. You can assign certificate policies under your private namespace, for example:

  •{PENnumber}.1.1 – Smart Card issuance policy
  •{PENnumber}.1.2 – Digital signature certificate issuance policy
  •{PENnumber}.1.3 – Encryption certificate with key archival issuance policy

For general purpose CAs, you can use a universal Object Identifier with the value This identifier means “All Issuance Policies” and is a sort of wildcard policy. Any policy will match this identifier during certificate chain validation.

Where do you get an OID?

An OID is a unique sequence of numbers that identifies a specific directory object or attribute. You can define an OID for a CPS as either a public or  private OID.

In case the organization plans to utilize PKI-enabled applications in conjunction with other organizations, the organization must get an OID from a public number-assignment company to certify that their OID will be unique on the Internet. Sources for public OIDs include:

  • The Internet Assigned Numbers Authority (IANA). This source issues free OIDs under the Private Enterprises arc. Every OID assigned by the IANA begins with the numbers representing iso(1).org(3).dod(6).internet(1).private(4).enterprise(1).

Note: An arc is the term used to reference a specific path in the global OID tree maintained by the International Organization for Standardization (ISO) and the International Telecommunication Union. This global OID tree is sometimes referred to as the joint ISO/ITU-T tree. For example, the Private Enterprises arc contains all OIDs that begin with

  • The American National Standards Institute (ANSI). This source issues OIDs for purchase under the U.S. Organizations arc of the ANSI OID tree. Every OID assigned by the ANSI begins with the numbers 2.16.840.1 rep representing joint-iso-itu-t(2). country(16).US(840).US company arc(1).
  • Other countries. Each country has its own OID-management organization. The easiest way to discover the organization for a given country is to perform a Google search ( with the search phrase Country (where Country is the name of the given country) and “Object Identifier.” Here are some examples of the arcs available within the joint ISO/ITU-T tree:
    • Canada: joint-iso-itu-t(2).country(16).canada(124)
    • Netherlands: joint-iso-itu-t(2).country(16).netherlands(528)
    • Switzerland: joint-iso-itu-t(2).country(16).switzerland(756)
    • Thailand: joint-iso-itu-t(2).country(16).thailand(764)

You can also generate a private OID based on your forest’s globally unique identifier (GUID) within the Microsoft IANA-assigned tree. If you decide to use these OIDs, you will have an OID assigned from (where a.b.c.d.e is a unique string of numbers based on your forest’s GUID).

Note: Use the private OID tree only if you do not foresee using the OIDs in conjunction with other organizations and your organization is unwilling to obtain a free OID from the IANA. If you plan on using PKI-enabled applications within other organizations, obtain a free OID tree from the IANA or buy a tree from the ANSI.

Tip: You can obtain your forest’s private OID by opening the Certificate Templates (certtmpl.msc) console as a member of the Enterprise Admins group. In the console tree, right-click Certificate Templates and click View Object Identifiers. In the resulting dialog box, you can choose the High Assurance Object Identifier and click the Copy Object Identifier button. Once you copy the OID, you can plug your forest’s values into the placeholders a.b.c.d.e, removing any trailing digits.

Certificate Policies Extension

The Certificate Policy extension, if present in an issuer certificate, expresses the policies that are followed by the CA, both in terms of how identities are validated before certificate issuance as well as how certificates are revoked and the operational practices that are used to ensure integrity of the CA. These policies can be expressed in two ways: as an OID, which is a unique number that refers to one given policy, and as a human-readable Certificate Practice Statement (CPS). One Certificate Policy extension can contain both the computer-sensible OID and a printable CPS. One special OID has been set aside for any policy, which states that the CA may issue certificates under a free-form policy.

IETF RFC 252717 gives a complete description of what should be present in a CA policy document and CPS. More details on the 2527 guidelines are given in the “PKI Policy Description” section.

As per RFC5280 §, an entry in the Certificate Policies extension consist of a policy identifier (OID) at a minimum. Single Certificate Policies extension may contain multiple entries, an entry per policy. Policy identifier may be combined with one or more policy qualifiers. RFC5280 supports two policy qualifiers:

  1. CPS Pointer
  2. User Notice

CPS Pointer is a URL to a Certificate Practice Statement document that describes the policy under which the certificate in the subject was issued.

User Notice is a small piece of text (RFC recommends using no more than 200 characters) that describes policy.

Microsoft requires that Certificate Policies extension must consist of a policy identifier and one or more policy qualifiers. Preferred policy qualifier is a CPS pointer because User Notice is short and cannot provide enough information, while in CPS Pointer you can provide an URL to CPS document or web page. Another reason to use CPS Pointer is that when you open digital certificate in UI, there is a button called “Issuer Statement”.

Overcome your PKI challenges

Certificate GUI dialog looks for Certificate Policies extension in the certificate and activates the button when found. By pressing the button, you are redirected to a first CPS Pointer URL where you can read certificate issuer statement.

Did you think, why root CA certificate do not need to have a Certificate Policies extension? – Because an implicit Certificate Policies extension with wildcard “All Issuance Policies” is implied for self-signed certificates. And no custom policies shall be defined at root level. Certificate Policies extension must appear at 2nd level (Policy CA in a 3-tier hierarchy or Issuing CA when Policy and Issuing CA roles are combined in a 2-tier hierarchy).

For example, Certificate Policies appearance in a 3-tier hierarchy:

Root CA – no Certificate Policies extension

Policy CA – Certificate Policies extension with one or more policies

Issuing CA – Certificate Policies extension with one or more policies

Leaf certificate – Certificate Policies extension with one or more Policies

NOTE: In a 2-tier hierarchy, the path is shorter, but the same rules applies.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Table of Contents

Digital certificates are used across the Internet to authenticate users exchanging data with one another.  Since every legitimate website uses a certificate, certificate management is extremely important. If a certificate were to be stolen and misused, an attacker could pose as another, more legitimate, source and infect a user with malware via their website. The expiration of a certificate of a certificate can result in an outage, causing an organization to lose out on potential customers. These are just a few reasons to learn more about certificate management.

What is Certificate Management?

Certificate management is the process of monitoring, processing, and executing every process in a certificate’s lifecycle. Certificate management is responsible for issuing, renewing, and deploying certificates to endpoints (servers, appliances, devices, etc.) so that network services are uninterrupted. Certificate management should also automate tasks (issuing, renewal, and so on), as well as provide real time status of the infrastructure of the network.

Certificate management helps manage the network and prevent interruptions and downtime, while providing a detailed monitoring of the whole infrastructure. Good certificate management plans should be able to handle any network, even ones with thousands of devices. If a certificate expires or is misconfigured, catastrophic outages all over the network may occur.

What is a Digital Certificate?

Any discussion of certificate management would be incomplete without explaining what a digital certificate is. A certificate, also known as an SSL/TLS certificate, is a digital identifier for users, devices, and other endpoints within a network. Certificates are linked with a public/private key pair and verify that the public key, which is matched with the valid certificate, can be trusted. The main job of a certificate is to ensure that data sent across a connection between a user and a server is kept private. The certificates does this by encrypting and decrypting data as it is sent across the connection. This is achieved through something called an SSL/TLS Handshake.

TLS Handshake

A TLS Handshake is executed as follows:

  1. Client Hello

    The client hello occurs when the client sends a request to the server to communicate. The TLS version, the cipher suites supported, and a string of random bytes known as the “client random” are included in the hello.

  2. Server Hello

    In the server hello, the server acknowledges the client hello. It then ensures it is using a TLS version that is compatible with the client TLS version, selects a compatible cipher suite from the ones offered by the client, and sends its certificate, the server random (similar to the client random), and the public key to the client.

  3. Certificate Validation

    The validity of the server’s certificate is first checked by the client through the certificate authority. The certificate authority, or CA, is a highly trusted entity given the responsibility of signing and generating digital certificates.

  4. Pre-Master String

    The client then encrypts a random string of bytes, called the “Pre-Master String” with the server’s public key and sends it back to the server. This ensures that only the server can decrypt the key with its own private key, acting as another level of security.

  5. Session Key Creation

    The server decrypts the pre-master key, and then both the client and server create session keys from the client random, the server random, and the premaster string.

  6. Finished Messaging

    The client and server then send each other messages saying they have finished creating their keys, and they compare keys with each other. If the session keys match, the TLS Handshake is completed, and the session keys are used to encrypt and decrypt any data sent between the server and client.

Once created, certificates can be used for authentication of servers, clients, or other devices. Certificates are considered valid for a certain time period, and expire after that time frame. Certificates follow a constant lifecycle which include phases such as creation, renewal, suspension, expiration, and more. If certificates are left to expire, then the certificate holder will no longer be trusted, resulting in a loss of service for the website or device being used. To receive a certificate, a user or website must first go through a certificate authority or sign one themselves.

Certificate Authorities

Certificates can be generated through either a trusted certificate authority or by signing a certificate themselves. Certificate authorities, or CAs, generate certificates for users to be used for TLS/SSL authentication. To ensure a certificate authority can be trusted, the chain of trust of the CA can be followed back to the source CA. A chain of trust is a chain of certificates published by trusted CAs, leading all the way back to the Root CA. To start the process of acquiring a digital certificate, the requestor must send out a Certificate Signing Request (CSR) to the CA. The CSR must have the public key of a key pair created by the requestor, along with information to confirm the identity of the requestor, such as a social security number or driver’s license. Once the requestors identity has been confirmed, the certificate is signed and returned by the CA and can be used for identification of the requestor.

The other option to get a certificate is to create one yourself using the same information, and then to self-sign it. This is used less often, because the identity of the signer cannot be verified with other trusted CAs, thus rendering the self-signed certificate suspicious. Due to this, many will not accept a self-signed certificate, so using a CA to create a certificate is the suggested method.

Why you need a certificate management system?

Certificate Lifecycle

There are several distinct stages to the certificate lifecycle, which are shown below.

  • Discovery

    Discovery is the first stage of the certificate lifecycle. In the discovery phase, the network is scanned for missing, expired, or unusable certificates. This phase also ensures any certificates already in place have been deployed properly. Certificates with vulnerabilities and other weaknesses can also be detected and fixed or replaced. The different certificates are commonly inventoried together in this phase to allow for tracking of certificate statuses, or grouping of related certificate types.

  • Creation/Purchasing

    In this stage the CA creates the certificate itself, or the user purchases a certificate from a trusted CA. The key pair for the certificate is created and the public key, CSR, and personally identifiable information are sent to the CA for certificate creation. If an organization or user does not have or does not wish to create a chain of trusted CAs, a certificate is purchased instead of being created.

  • Installation

    This stage deals with the distribution and installation of the certificate in its proper place. All aspects of the certificate’s configuration are checked in the installation phase, including the key pairs, the cipher suites, and the digital signature. The certificate is then installed onto the appropriate endpoint it was created for, and begins authentication of that endpoint.

  • Storing

    One of the most important stages of the certificate lifecycle is the storing phase. Certificates must be accessible, but not reusable by attackers, thus they must be kept in a secure and centralized location. The storing phase can also inventory the certificates into groups, if inventorying was not done in the discovery phase.

  • Monitoring

    This is the longest phase, where the certificates are monitored throughout the duration of their expiration period. Once the expiration date is reached, or sometimes right before, certain certificate management systems will automatically renew certificates. If automatic certificate management systems are not being used, then a system administrator will need to monitor the network’s certificates and renew, revoke, or replace any certificate that reaches its expiration date.

    There are benefits to both manual and automatic monitoring, which will be discussed in-depth in the next section, but there are two important benefits which stand above the rest. The biggest benefit of manual monitoring is that if an unexpected issue occurs, then the monitor can react in real time to the problem, whereas an automatic system will not know what to do. On the other hand, an automatic monitor’s biggest benefit is that certificate renewals, revocations, etc. will not be forgotten, which can occur if a human is monitoring certificates for years.

  • Renewal

    The renewal process of certificates begins once the validity of the certificate has run out. Once the user or automated systems decide to renew the certificate, a CSR is resent to the original issuing CA to get the certificate renewed. The process occurs as it did with originally creating the certificate, but much more quickly.

  • Revocation

    If the issuing CA has be decommissioned, a certificate is being misused, or for a host of other reasons, then a certificate can be revoked. Once revoked, the certificate is placed on a Certificate Revocation List, or CRL, if a CRL is in use. A CRL is a list of certificates revoked by the CA that should no longer be trusted. If an Issuing CA’s certificate is on a CRL, then that CA cannot be used in a chain of trust for other CAs or certificates. A downside to using CRLs is that revoked certificates are only published periodically, not every time a certificate is revoked. This issue means a user could renew their certificate with their issuing CA, even though a few hours ago their certificate was revoked for illegitimate usage.

  • Replacement

    If a CA’s certificate is revoked or if the certificate owner wishes to move from paid certificates to their own Public Key Infrastructure, then the replacement phase occurs. This occurs less often, as it is easier to just renew a certificate with the original issuing CA.

    The certificate lifecycle is not set in stone. Different organizations will have different stages, combine stages, or leave out entire stages entirely. As long as the certificates are discovered, created, stored, monitored, and renewed, then that is considered a certificate lifecycle.

Manual vs Automated Infrastructure

One of the most important parts of a company’s data security policy is the certificate management infrastructure put into place within the organization. A manual infrastructure involves having an employee create a spreadsheet to keep track of validity periods, policies, revocations, and configuration data of all the certificates within the organization. This method will work with a smaller company with an infrastructure only dealing with a few certificates, but many larger companies can have thousands upon thousands of certificates, making manual infrastructures too complicated. The other option is to create an automated certificate lifecycle infrastructure, which is the more common method. Below is a table highlighting the differences between manual and automated certificate management infrastructures.


Manual Infrastructure

Automated Infrastructure

Lifecycle Stages

Handled via a spreadsheet and a user keeping track of all the certificates within the organization

Streamlined and handled automatically; Certificates renewed/replaced/revoked as soon as necessary

Operational Cost

Costs many man hours

Less cost and no man hours needed


Must be constantly kept track of by the employee in charge to ensure certificates do not expire

Is constantly watched by the software set up in the infrastructure, allowing for quick renewal or replacement of certificates


Easy and quick to implement; Only a spreadsheet is required

The software must be implemented correctly, or certificates will not be monitored correctly

These reasons, and more, are why automated certificate lifecycle management systems are used in Public Key Infrastructures.

The Importance of Certificate Management

One of the most important reasons to have a strong, automated certificate management system is if you have your own Public Key Infrastructure (PKI). A PKI is an infrastructure created to authenticate users based on digital certificates. PKIs can encrypt communications as well. The most common PKI is TLS/SSL, which uses both symmetric and asymmetric encryption in securing connections between two users. The core trust of a PKI comes from the certificates traded between the two sides of the connection. Most PKIs use a two layer architecture, which includes a Root CA and an Issuing CA.

Root CA is a certificate authority that is kept offline and creates a certificate for the online Issuing CA. This creates a chain of trust with all certificates issued by the Issuing CA, as the Root CA is kept offline so it is therefore secure from malicious intent. Issuing CAs distribute certificates for end users and devices. The less commonly used three tier architecture for a PKI includes an Intermediate CA between the Root and Issuing CA, which act as a go between for the Root and Issuing CA. The reason automated certificate management is mainly used by PKIs is because it is more secure to create a PKI correctly once and then let the automated services keep the certificates up to date. This cuts down on the cost to the company, the man hours required to keep the PKI running, and human error. Since so many organizations are creating their own PKI, proper certificate management is key to any company’s security plan.

Another reason that so much importance is put onto certificate management is the need for every device and user that is connected to the Internet to have a digital certificate. Whenever a user or a device connects to a website, the authenticity of their digital certificate is checked, along with the certificate of the website. By having a strong chain of trust and a valid certificate, you can go anywhere on the Internet.  However, a certificate is invalid or expired, if the user or device that certificate belongs to cannot go to most websites, as a secure connection cannot be established. The same holds true for website certificates. If their digital certificate is invalid, then users will not or cannot use that website, for fear of getting malware or viruses on their device.

One more reason to ensure strong certificate management is so that breaches do not occur in an organization. If a certificate were to be allowed into a network, even though it has untrusted CAs in its chain of trust, then the owner of that certificate could steal sensitive data or otherwise misuse company data for malicious purposes. Also, if the certificates are not stored properly, then an attacker could steal that certificate and pose as a legitimate user, while stealing, changing, or deleting sensitive data.

Why you need a certificate management system?

Other Certificate Uses

There are a number of other uses for digital certificates, which are listed below.

  • Intranet Portals
  • Ecommerce websites
  • VPNs
  • Point of Sales System
  • Internet of Things Devices
  • App Development
  • Code Signing
  • Email Signing
  • SSH Key Management
  • Financial Services
  • Customer Service Websites
  • Cloud Authentication

Certificate Management with Encryption Consulting

Encryption Consulting provides a variety of services relating to certificate management. We offer PKI assessments, CP/CPS development for PKIs, and PKI Design and Implementation services. Our PKI assessment will assess the current certificate management practices of our customer and help with the development of a strategy and roadmap for certificate management. Our CP/CPS development and PKI design and implementation services provide assistance in creating and implementing all the stages of a PKI, from on-premises to the cloud. We can provide our services via video or in person, at the customer’s behest. We also provide services to help develop and implement certificate management systems into new and current infrastructure.

To learn more about Encryption Consulting and the services we can provide you, visit our website:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Certificates, Education Center

What are the two types of CA?

  • Public CAs

    They are organizations which issue certificates to other organizations. Public CAs are generally trusted so certificates issued by them are validated and have higher levels of trust associated.The organization first does some necessary checks, including domain validation. Then the Public CA uses their private key to issue the requester a certificate while also attaching a public key that the requester can use.While someone establishes a connection, the certificate is validated with the Public CA by checking if the requester is the valid holder of the certificate. The public key is checked, and then a secure connection can be established using asymmetric encryption.

  • Private CA

    Ther are an organization’s own local CA that is created for internal purposes only. The certificates issued are signed by the organization’s Private Root CA using its private key. Private CAs are used to build a private internal PKI network to issue certificates within the organization.They can be used to run devices and appliances within the organization and can be utilized by users for VPNs, Secure Email and can be used by servers for encrypting data in a database.

      Free Downloads

      Datasheet of Encryption Consulting Services

      Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

      Encryption Services

      About the Author

      President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

      Certificates, Education Center

      What is a Certificate Authority?

      You use a certificate authority each time you access a website that begins with HTTPS. But the question is, what is a Certificate Authority and how it makes our lives easier by securing the internet? Let’s dive deep into what CA is.

      Certificate Authority is one of the most crucial components of preserving security in the modern digital world. A Certificate Authority, or CA, is a highly trusted entity given the responsibility of signing and generating digital certificates. CAs are one of the most important pillars of a PKI. A certificate authority specifically issues digital certificates that are subsequently used to confirm the legitimacy of websites, devices, individuals, and more.

      What does Certification Authority do?

      A public certificate authority is essentially a publicly dependable body that issues digital certificates to people, companies, and other entities. These issued certificates are short data files with verified organization identification information. So, by having a trustworthy third party vouch for you, CAs are a technique to establish your credibility with those who don’t directly know you (or your organization).

      But the question is, what about website security amidst all these?

      So, a certificate authority undergoes a set of rules to ensure the integrity of certificates. The certifying authority investigates the petitioning entity before issuing a certificate.  They examine records and documentation from official sources to ensure that the business is authentic. After that, the CA issues a digital certificate that the company can use to encrypt and digitally sign its software, websites, and email correspondence.

      Consequently, a certification authority assists you in achieving the following if you are someone who demands a certificate for your company:

      • Substantiate your organization’s identity
      • Verify the legitimacy of your organization.

      Verifying the Authenticity

      How can you tell if you’re linked to a legitimate website? Exactly that depicts the real job of the Certification Authority; it ensures you are aware of whom you are talking with online. CAs verify websites and organizations, which prevents you from sending your data or sensitive numbers to the hacker.

      If you would look at the image below shows what a secured website will look like. When you visit a secure website, there should always be a lock in the URL bar of a modern browser. The lock will reveal more information when you click on it, including a statement confirming the site’s current certificate.

      secured website

      You can even see the certificate details, which include all the parameters such as whom it is issued to, who issued it, validity period and fingerprints, etc.

      certificate details

      If a site displays a warning that the connection is not private and a note that the certificate is untrusted and does not have a valid certificate, it is a kind of fake website and unsafe to open.

      Not a valid certificate

      All certificates must be issued by a reputable entity, be tamper-resistant, and include information proving their legitimacy for this system to function.

      Deep Dive: How CAs Work?

      A certificate authority uses asymmetric encryption for issuing certificates. One public key and one private key are used in asymmetric encryption to encrypt and decrypt a communication and safeguard it against misuse or unwanted access. The private key is used to decrypt messages that have been encrypted using the associated public key, and the certificate holder should only know it. Additionally, the certificate holder may use it to verify their identity when using a digital signature or in place of a password.

      Two Tier and Three Tier CA Hierarchies
      CAs Hierarchies

      The CA hierarchy is one crucial component that supports the overall idea of the certificate authority. In essence, this indicates that CAs exist to confirm the legitimacy of and issue certificates to another certificate authority. The two most common Hierarchies include Two Tier and Three Tier CA Hierarchies, as more tiers can cause more complexity.

      A Two-Tier CA Hierarchy includes Root CA and Issuing CAs, whereas a three-tier CA hierarchy includes Root CA, Policy CAs, and Issuing CAs. The Root CA will issue the intermediate CA certificate. The intermediate CA will afterward issue or sign end-entity certificates or another CA one step lower.

      Looking for Code Signing Product

      Public and Private CAs

      Now we have two types of CAs, namely Public CA and Private CA. Despite having essentially the same functions, they are distinct, and most organizations must use both.

      • Private CAs

        An internal CA governed by the company for whom it provides certificates is known as a private CA (or private certifying authority). To Demonstrate more clearly, it’s the same as signing your child’s report card. Self-signed documents may be acceptable within your company, but strangers who don’t know you will not accept them.

      • Public CAs

        On the other hand, public certificate authorities are independent organizations not under the jurisdiction of the organizations to which they issue certificates. Public CAs are completely unrelated to the individuals who receive their certificates, and the certificates they issue are widely regarded as reliable on the internet.


      A Certificate Authority, or CA, is an extremely reliable entity tasked with creating and signing digital certificates. After a CA signs and issues a certificate, that certificate can be used for establishing communication or other tasks. CAs verify whether the certificates are valid; it is not a good practice to open a website with expired certificates. There are, in general, two types of CAs hierarchies acting nowadays, which are Two Tier and Three tiers CA Hierarchies. There are two types of CAs in functional. To learn more about the Certificate related subjects, visit

      Free Downloads

      Datasheet of Encryption Consulting Services

      Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

      Encryption Services

      About the Author

      Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

      Let's talk