The Function Of The PKI Certificate Repository
While there are a lot of terms used in technology that are very different in meaning from their use in general conversation, the word repository is one exception. The definition of repository is literally a place or receptacle where things are stored. In the most basic sense, this is also the central function of the PKI certificate repository, but it also has other important functions as well.
With the development of SSL (Secure Sockets Layer) and the more recent versions of TLS (Transport Layer Security), the need to have a central location to store the certificate and the public key so it can be accessed. As this is the public key and certificate storage area, having a central repository is a must or the system simply would not be able to operate.
While you may think that a central PKI certificate repository holds all types of certificates and keys, it is common to have a dedicated repository for specific Public Key Infrastructure environments. These storage and management areas function in a similar way and use compatible searching and open standards found with LDAP or Lightweight Directory Access Protocol.
In order for the PKI certificate repository to be able to function, it has to have a way to identify and locate the certificates and public keys. If this could not be done quickly and efficiently, it would cause delays when accessing websites, sending encrypted emails, providing a digital signature or in being able to process credit or debit card information online.
To avoid these types of issues, the LDAP system uses a hierarchical index system. This uses what is known as a Distinguished Name to identify each certificate stored within the structure. This allows for the identification of a particular certificate immediately and without any risk of error in accessing an incorrect certificate.
Within the repository, there is also the CA root certificate. This is the certificate from the Certificate Authority that all other certificates granted by that CA will chain up to. Think of this cert as the top of a pyramid. It is self-signed by the CA, in our cases by Comodo.
Our root certificates are recognized and trusted by 99.9% of all browsers and devices. In other words, our root certificates are represented in the trust stores of those browsers and devices.
The root cert, which may also be called the root signing certificate, is secured by the chain of intermediate certificates. This helps to protect the root certificate private key from access. A breach or compromise of the private signing keys for a root certificate would be devastating and require the complete revocation of all certificates signed for by that private key. For this reason, the private key for the root CA is always kept in a very secure location, sometimes even offline for maximum security.
The trustworthiness of any CA is tied to the security of the root certificates. Likewise, browsers and devices carefully evaluate any additions or root certificates to ensure the highest standards of trust and security.
In addition to the root certificate, there is also the CA signing certificate. This is used to bind the public and private key pairs. This signing certificate is used to create the links in the chain of trust between the intermediate certificates also located in the PKI certificate repository.
Within the PKI certificate repository, there is also a list of revoked certificates. This is maintained when a cert has to be revoked before it has expired. Depending on the specific term and SSL/TLS cert type this could be one, two or three years.
If there is a compromise of the private key for a cert at any point in the chain it can be revoked. By maintaining the list, these revoked certs cannot be used as an intermediate cert without causing a failure in the validation of the pathway.
It is important to stress that only the public key is ever maintained in the PKI certificate repository. The private key will always remain with the applicant to the SSL/TLS product. This may include having the certificate and private key installed on an email client, browser or device or on a server. The private key itself should only be maintained and stored in a private file that is backed up and secured.
For more information on how Public Key Infrastructure works, give us a call. Our sales team is available to answer your questions at +1 888 266 6361, or you can talk to us via the live chat system on the website at https://www.instantssl.com.