1-2This manual involves two types of certificates: local certificate and CA certificate. A local certificate is adigital certificate signed by a CA for an entity, while a CA certificate is the certificate of a CA. If multipleCAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the toplevel. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificatesigned by the CA at the next higher level.CRLAn existing certificate may need to be revoked when, for example, the user name changes, the privatekey leaks, or the user stops the business. Revoking a certificate is to remove the binding of the publickey with the user identity information. In PKI, the revocation is made through certificate revocation lists(CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificatesthat have been revoked. The CRLs contain the serial numbers of all revoked certificates and provide aneffective way for checking the validity of certificates.A CA may publish multiple CRLs when the number of revoked certificates is so large that publishingthem in a single CRL may degrade network performance, and it uses CRL distribution points to indicatethe URLs of these CRLs.CA policyA CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revokingcertificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practicestatement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, ande-mail. As different CAs may use different methods to check the binding of a public key with an entity,make sure that you understand the CA policy before selecting a trusted CA for certificate request.Architecture of PKIA PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown inFigure 1-1.Figure 1-1 PKI architectureEntityAn entity is an end user of PKI products or services, such as a person, an organization, a device like arouter or a switch, or a process running on a computer.