CAServer (OpenCA terminology)

The Certification Authority. In this document it is used to describe the CA as described in Figure 7-1

RAServer (OpenCA terminology)

The Registration Authority. In this document it is used to describe the RA as described in Figure 7-1

RAOperator (OpenCA terminology)

The front–end of the Registration Authority that interacts with the users. In this document its functionality is described at Figure 7-1

Entity authentication mechanisms

Entity authentication mechanisms allow the verification, of an entity's claimed identity, by another entity. The authenticity of the entity can be ascertained only for the instance of the authentication exchange.

Peer entity authentication

Peer entity authentication is the corroboration that a peer entity in an association is the one claimed. This service is provided for use at the establishment of, or at times during, the data transfer phase of a connection to confirm the identities of one or more of the entities connected to one or more of the other entities.


An unambiguous formula or set of rules for solving a problem in a finite number of steps. Algorithms for encryption are usually called Ciphers.

Certification Authority (CA)

An entity that attests to the identity of a person or an organisation. A Certificate Authority might be an external company such as VeriSign that offers certificate services or they might be an internal organisation such as a corporate MIS department. The Certificate Authority's chief function is to verify the identity of entities and issue digital certificates attesting to that identity.

The acronym CA can be found in different variations.

  • Certification Authority (Used in this document and found in most documents)

  • Certifying Authority (Found in the RSA Security Crypto FAQ)

  • Certificate Authority (Found in various documents)

Certificate Request

An unsigned certificate for submission to a Certification Authority, which signs it with the Private Key. Once the certificate request gets signed, it becomes a Certificate. This term is used in PKIX terminology and it is the same with the Certificate Signing Request. We use both terms to describe the same thing.

Certificate Signing Request (CSR) (OpenCA terminology)

An unsigned certificate for submission to a Certification Authority, which signs it with the Private Key of their CA Certificate. Once the CSR is signed, it becomes a real certificate.


An algorithm or system for data encryption. Examples are DES, IDEA, RC4, etc.


The result of the encryption of ciphertext, using a cipher.

Configuration Directive

A configuration command that controls one or more aspects of a program's behavior. In Apache context these are all the command names in the first column of the configuration files.


A cross–certificate is a certificate issued by one CA to another CA which contains a CA signature key used for issuing certificates.

DER format

A binary format to encode certificates.

Digital Signature

A method of signing electronic documents (otherwise digital data) using Public Key Cryptography.

Digital Timestamp

An electronic record that mathematically links a document to a time and date.

Electronic Commerce

The exchange of goods, services and fiduciary information or instruments via distributed computer and communication networks.


Diminished in cryptographic strength (and security) in order to comply with the United States' Export Administration Regulations (EAR). Export–crippled cryptographic software is limited to a small key size, resulting in Ciphertext which usually can be decrypted by brute force.

Currently there is draft policy in the United States that provides substantial freedom to the availability of cryptographic software. This policy remains to be finalised and voted in order to become effective. Similar legislation is expected to be voted in the European Parliament soon.

Fully–Qualified Domain–Name (FQDN)

The unique name of a network entity, consisting of a hostname and a domain name that can resolve to an IP address. For example, www is a hostname, is a domain name, and is a fully–qualified domain name.

HyperText Transfer Protocol (HTTP)

The HyperText Transport Protocol is the standard transmission protocol used on the World Wide Web.


The HyperText Transport Protocol (Secure), the standard encrypted communication mechanism on the World Wide Web. This is actually just HTTP over SSL.


The entity (often a person) that controls a private key.

Key recovery

The ability of an individual, organisation or their authorised agents to obtain an extra copy of a key (or other information necessary for decryption) that enables them to decrypt the ciphertext.

Lightweight Directory Access Protocol (LDAP)

LDAP is a specification for a client–server protocol to retrieve and manage directory information.

Message Digest

A hash of a message, which can be used to verify that the contents of the message have not been altered in transit.


OpenLDAP is an open–source implementation of LDAP. It provides a stand–alone LDAP server, a stand–alone LDAP replication server, libraries implementing the LDAP protocol, and other relevant software. For more information on OpenLDAP, see


An open–source implementation of the SSL/TLS protocol. It is based on SSLeay. For more about OpenSSL, see

Pass Phrase

The word or phrase that protects private key files. It prevents unauthorized users from encrypting them.

PEM format

A text (ASCII) format that can be used to encode Certificates. It is essentially the Certificate in DER format that has been encoded with Base64 and had a header and footer added.


The text that will be encrypted. If we decrypt succesfully a ciphertext, the result is the plaintext.

Private Key

The secret key in a Public Key Cryptography system, used to decrypt incoming messages and sign outgoing ones.

Public Key

The publically available key in a Public Key Cryptography system, used to encrypt messages bound for its owner and to verify signatures made by its owner.

Public Key Cryptography

The study and application of asymmetric encryption systems, which use one key for encryption and another for decryption. A corresponding pair of such keys constitutes a key pair. Also called Asymmetric Cryptography.

Public Key Cryptography Standards PKCS

A series of cryptographic standards dealing with public-key issues, published by RSA Laboratories.


Data structures that are suitable for representing arbitrary complex data structures.

Secure Sockets Layer (SSL)

A protocol created by Netscape Communications Corporation for general communication authentication and encryption over TCP/IP networks. The most popular usage is HTTPS, i.e. the HyperText Transfer Protocol (HTTP) over SSL.

Single Sign–On (SSO)

The ability to authenticate once and use several security services based on that authentication.


The original SSL/TLS implementation library developed by Eric A. Young; see Now it has been renamed to OpenSSL; see OpenSSL.

Symmetric Cryptography

The study and application of Ciphers that use a single secret key for both encryption and decryption operations.

Transport Layer Security (TLS)

The successor protocol to SSL, created by the Internet Engineering Task Force (IETF) for general communication authentication and encryption over TCP/IP networks. The current version, TLS version 1, is nearly identical with SSL version 3.

Trusted Third Party (TTP)

Another description for the Certification Authority that stresses that the keeper of the CA private key should be an organisation or an entity that has no interests or ties of any kind with the clients.

Uniform Resource Locator (URL)

The formal identifier to locate various resources on the World Wide Web. The most popular URL scheme is http. SSL uses the scheme HTTPS.


A CCITT specification for directory services.


An authentication certificate scheme recommended by the International Telecommunication Union (ITU–T) which is used for SSL/TLS authentication.

Attribute Authority (AA)

An authority trusted by one or more users to create and sign attribute certificates. It is important to note that the Attribute Authority is responsible for the attribute certificates during their whole lifetime, not just for issuing them.

Attribute Certificate (AC)

A data structure containing a set of attributes for an end-entity and some other information, which is digitally signed with the private key of the AA which issued it.


Can refer to either an Attribute Certificate or a Public Key Certificate certificate. Where there is no distinction made the context should be assumed to apply to both an AC and a public key certificate.

Certification Authority (CA)

An authority trusted by one or more users to create and assign public key certificates. Optionally the Certification Authority may create the user's keys. It is important to note that the Certification Authority is responsible for the public key certificates during their whole lifetime, not just for issuing them.

Certificate Policy (CP)

A named set of rules that indicates the applicability of a public key certificate to a particular community or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of public key certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range.

Certification Practice Statement (CPS)

A statement of the practices which a Certification Authority employs in issuing public key certificates.

End–entity (EE)

A subject of a certificate who is not a Certification Authority in the Public Key Infrastructure or an Attribute Authority in the Priviledge Management Infrastructure. (An End–entity from the Public Key Infrastructure can be an Attribute Authority in the Priviledge Management Infrastructure.)

Public Key Certificate (PKC)

A data structure containing the public key of an end-entity and some other information, which is digitally signed with the private key of the Certification Authority which issued it.

Public Key Infrastructure (PKI)

The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke PKCs based on public-key cryptography.

Priviledge Management Infrastructure (PMI)

A collection of Attribute Certificates, with their issuing Attribute Authority's, subjects, relying parties, and repositories, is referred to as a Priviledge Management Infrastructure

Registration Authority (RA)

An optional entity given responsibility for performing some of the administrative tasks necessary in the registration of subjects, such as: confirming the subject's identity; validating that the subject is entitled to have the values requested in a Public Key Certificate and verifying that the subject has possession of the private key associated with the public key requested for a Public Key Certificate.

Relying Party

A user or agent (e.g., a client or server) who relies on the data in a certificate in making decisions.

Root CA

A Certification Authority that is directly trusted by an End–entity; that is, securely acquiring the value of a Root CA public key requires some out-of-band step(s). This term is not meant to imply that a Root CA is necessarily at the top of any hierarchy, simply that the CA in question is trusted directly.

Subordinate CA

A subordinate CA is one that is not a Root CA for the End–entity in question. Often, a subordinate CA will not be a Root CA for any entity but this is not mandatory.


A subject is the entity (Attribute Authority, Certification Authority, or End–entity) named in a certificate. Subjects can be human users, computers (as represented by Domain Name Service (DNS) names or Internet Protocol (IP) addresses), or even software agents.

Top CA

A Certification Authority that is at the top of a PKI hierarchy.