SSH Communications Security
Index
SSH Home page
Previous Next Up [Contents] [Index]

    Introduction >>
    Configuration >>
    Connecting >>
    Terminal Window >>
    File Transfer >>
    Toolbar Reference >>
    Menu Reference >>
    Advanced Information >>
        SSH2 Functionality >>
        Public-Key Infrastructure (PKI) >>
            CA
            Certificate Enrollment
            Certificate Revocation
            Directory Services
        Using Certificate Authentication>>
    Troubleshooting >>
    Appendices >>

CA

The trusted parties that sign, issue and manage certificates are called certification authorities (CA). A CA is the instance that vouches for the identity and trustworthiness of the end entity it grants the certificates to. Certification authorities can be thought of as being analogous to governments issuing passports for their citizens.

CA can be a third party trusted by everyone in the PKI, or it can belong to the same organization as the end entities. CAs can also certify other CAs (to issue certificates) by signing so-called CA certificates. This leads to a tree-like structure of CA hierarchies. The top CA in the "tree" is called a root CA. A new root CA is established in two steps:

  1. Generation of a CA key pair and a CA certificate.
  2. Exporting the CA public key "out-of-band" to all end entities in the PKI.

The public keys of CAs are usually built into specific client applications. CA keys are then distributed when the client applications are installed to the end users' devices (workstations, laptops, PDAs). Before end entities can communicate securely, also their public keys need to be certified by enrolling the end entities into the PKI and having their certificates issued by the CA.

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2001 SSH Communications Security Corp
All rights reserved.
Copyright Notice