Companies such as VeriSign perform these types of verification
and signing services. Essentially, they perform digital notarization of an individual??™s
or company??™s credentials by issuing a certificate that is signed by their CAs. If a CA becomes
authorized to issue certificates as part of the certificate hierarchy, the CA will be
issued a certificate of its own that is signed by the commercial CA that is automatically
trusted by Windows operating systems.
Any certificate then issued will be implicitly cosigned by the parent CA, its parent,
and so forth. At the top of the certificate chain is always a root CA. Since the root CA has
no additional parent and is implicitly trusted by all its child CAs, it is typically held under
heavy physical security and disconnected from the network to prevent any possibility
of being remotely compromised. VeriSign??™s root CAs usually fall within this category.
If you are creating your own internal CA hierarchy, you should consider heavily securing
your root CA using the same precautions.
405 Chapter 12: Enterprise Public Key Infrastructure
TYPES OF CAs
The Certificate Service that is part of Windows Server 2008 supports two different types
of CA configurations: Enterprise and Stand-alone. Both configurations can issue certificates.
The difference is in their dependencies, the types of certificates they can issue, and
to what extent they can be used.
Pages:
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439