relies on Public Key Infrastructure (PKI) to provide secure communications. PKI
consists of certificate authorities, digital certificates, and public and
Certificate authorities (CAs) manage certificate requests and issue
digital certificates to participating entities such as hosts, network devices,
or users. The CAs provide centralized key management for the participating
based on public key cryptography, digitally authenticate the hosts, devices
and/or individual users. In public key cryptography, such as the RSA encryption
system, each entity has a key pair that contains both a private key and a
public key. The private key is kept secret and is known only to the owning
host, device or user. However, the public key is known to everyone. Anything
encrypted with one of the keys can be decrypted with the other. A signature is
formed when data is encrypted with a sender's private key. The receiver
verifies the signature by decrypting the message with the sender's public key.
This process relies on the receiver having a copy of the sender's public key
and knowing with a high degree of certainty that it really does belong to the
sender and not to someone pretending to be the sender.
link the digital signature to the sender. A digital certificate contains
information to identify a user or device, such as the name, serial number,
company, department, or IP address. It also contains a copy of the entity's
public key. The CA that signs the certificate is a third party that the
receiver explicitly trusts to validate identities and to create digital
To validate the
signature of the CA, the receiver must first know the CA's public key.
Typically this process is handled out of band or through an operation done at
installation. For instance, most web browsers are configured with the public
keys of several CAs by default.