Updated on 2023-07-26 GMT+08:00

Basic Concepts

Root CA

The public key certificate of a CA. A root certificate is the trust anchor in the public key infrastructure (PKI) system. It can issue subordinate CAs, private certificates, and certificate revocation lists (CRLs). After a root CA is imported into the client trust list, the certificates issued by it can be validated as trusted.

Subordinate CAs

A subordinate CA, or intermediate CA or child CA, is used to isolate the root CA from the private certificates. It is the key to divide the CA hierarchy. A subordinate CA validates certificates at the next layer in the certificate chain. If the path length of a subordinate CA is greater than 0, it can issue lower-layer subordinate CAs.

The path depth of a subordinate CA controls how many layers of subordinate CAs the current CA can issue. (The last layer of the certificate chain is a private certificate).

Private certificate

A private certificate is an end-entity certificate, which is installed on an end entity, including certificates used for the client (or client certificates) and certificates used for the server (or server certificates). An end-entity certificate is at the bottom layer of a certificate chain and is used to authenticate an entity. It cannot be used to issue a certificate and is a credential for HTTPS communication between the entity that owns the certificate and other entities. Figure 1 shows the content of a private certificate.

Figure 1 Private certificate

Certificate Revocation List (CRL)

A certificate revocation list (CRL) is a list of certificates revoked by the parent CA when they are still valid. The revoked certificates include subordinate CAs and private certificates. A CRL is a structured data file in a fixed format. It contains the issuer information, time when the CRL takes effect, time when the CRL is updated next time, issuing algorithm, fingerprint, as well as the serial number, revocation time, and revocation reason code of a revoked certificate. Figure 2 provides more details.

Figure 2 Certificate Revocation List (CRL)

Certificate chain

A certificate chain is a file that combines all certificates from the root CA to the private certificates in a fixed sequence. A certificate chain is used to validate certificates layer by layer. Figure 3 shows an example certificate chain.

Figure 3 Certificate chain
Certificate validation involves the following aspects:
  • Integrity of the certificate chain and validity of certificates
  • Validity of the root CA, which is preinstalled in its trust store.

The following information is validated during the validation process:

  • Subject the certificate owner claims, such as the domain name of the server
  • Certificate validity period
  • Key usage, such as key negotiation and digital signatures.
  • Digital signature
  • Whether the certificate has been revoked.

    Not all validation items are listed here. The X.509 certificate allows users to add multiple customized extension items. For details, see related international standards.

PCA Certificate Validity Period

In a certificate chain, the root CA is the trust anchor for all of the subordinate CAs and the end-entity certificates below it. Once the root CA expires, all certificates issued by the root CA and its subordinate CAs are no longer trusted. The validity period of the root CA is the upper limit of the validity period of all lower-layer certificates. Even if the validity period of a lower-layer certificate can be set to a value greater than that of the root CA (if not mandated), the certificate chain validation fails as long as the root CA in the chain expires.

In the PCA service, the validity period of a certificate cannot be longer than that of its parent CA. This ensures that the validity periods decrease gradually in the certificate chain from the root CA to the private certificate. Table 1 lists the restrictions PCA places on validity periods of certificates.

The validity periods of different types of certificates vary depending on their roles. The more frequently a certificate is used, the higher the risk of key leakage is. Therefore, the validity period of frequently used certificate should be as short as possible. A root CA is used only to issue subordinate CAs. Root CAs are infrequently used, and the tightest protection measures are used for them. (KMS is used for CA key management in PCA). The validity period of a root CA is about 10 to 30 years. The lower the layer of a subordinate CA, the shorter the validity period. The subordinate CA at the lowest layer is used to issue private certificates, so its validity period is usually set to 2 to 5 years. A private certificate is frequently used during communications. The validity period of a private certificate can be set to several hours, months, or one or two years based on the security requirements of application scenarios.

Table 1 Certificate validity period constraints

Certificate Type

Min. Validity Period

Max. Validity Period

Extension Supported

Remarks

Root CA

1 hour

30 years

No

None

Subordinate CA

1 hour

20 years

No

The root CA must within the validity period.

Private certificate

1 hour

20 years

No

The root CA must within the validity period.