1. Certificate Authority (CA):
    1. The trusted entity, usually a server, that issues digital certificates.
    2. Certificates verify a process or user's identity.
  2. Intermediate CA:
    1. Any Certificate Authorities between the Root CA and the end user or final process.
  3. Mapping:
    1. One-to-One Mapping:
      1. When an individual certificate is mapped to a single recipient.
    2. Many-to-One Mapping (Overloading):
      1. When multiple certificates are mapped to a single recipient.
  4. Registration Authority (RA):
    1. Used to verify requests for certificates.
    2. Types:
      1. Certificate Revocation List (CRL):
        1. A list of certificates no longer valid or that have been revoked by the issuer.
        2. These certificates should no longer be trusted.
      2. Online Certificate Status Protocol (OCSP):
        1. An alternative to using a certificate revocation list (CRL). It contains less information than a CRL does, and does not require encryption.
        2. OCSP was created as an alternative to CRL, but has been criticized for putting all computing strain on the Certificate Authority.
        3. Newer Versions (See OCSP Stapling) remedy this by forcing authorizations to be addressed at the site of the certificate receiver.
        4. See RFC 6960 for more on OCSP.
  5. Key Escrow:
    1. Also known as a fair cryptosystem
    2. When certificate keys are held in case third parties, such as government or other organizations, need access to encrypted communications.
  6. Key Recovery Agent:
    1. Software that can be used to archive and restore keys if necessary.
  7. Certificate Signing Request (CSR):
    1. A message sent from an applicant to the CA to apply for a certificate.
    2. CSRs contain:
      1. The public key
      2. Identifying information
      3. Integrity protection (digital signature).
  8. Online vs Offline CA:
    1. In a Public Key Infrastructure (PKI), the chain of trusted authorities begins with the root certificate authority (Root CA).
    2. Once the root CA is installed and the root certificate is created, the system administrator must issue certificates authorizing intermediate/subordinate CAs.
    3. A common method to ensure the security and integrity of a root CA is to keep it in an offline state, and only bring it online when it is needed for specific, infrequent tasks - typically limited to the issuance or re-issuance of certificates granting authority to intermediate CAs.
    4. See RFC 5280 for more information