This site requires JavaScript to be enabled
12 views

 

Somebody has to issue you, or your host or service, a certificate and somebody else must decide whether to accept your certificate when you present it. This implies that there must be a "chain of trust" such that the acceptor trusts the issuer.

The issuer of a certificate is an organization called a Certificate Authority (CA). Certificate Authorities come in two flavors, Root and Subordinate. A Subordinate Certificate Authority also has its own certificate, called a CA certificate (a specialized service certificate), issued by a higher-level Certificate Authority. The Root CA is at the top the heirarchy. 

The acceptors of your certificate (e.g. grid services, web services and email clients) maintain a list of issuers (CAs) that they trust. In order to accept your certificate, the application has to find the corresponding CA certificate in its list, and that CA certificate's higher-level CA certificate if necessary, and so on, until it reaches the Root CA certificate. This forms the chain of trust. 

For optimal use of any application in which you use a personal certificate (e.g., to avoid annoying popups and possibly the occasional refusal of service), the CA's certificate should be installed in the application ahead of time to establish the trust chain. Some combinations of browser and remote site will not work unless the CA certificate chain is installed.

Notes:

Authored by Fang Wang
Last modified 1 week ago