User`s guide

236 XSR User’s Guide

Describing Public-Key Infrastructure (PKI) Chapter 11

Configuring the Virtual Private Network

It is also possible to delegate certificate-issuing responsibilities to subordinate

CAs. The X.509 standard includes a model for setting up a hierarchy of CAs.

As shown in Figure 40, the root CA is at the top of the hierarchy. The root

CA's certificate is a self-signed certificate: that is, the certificate is digitally

signed by the same entity - the root CA - that the certificate identifies.

The CAs that are directly subordinate to the root CA have CA certificates

signed by the root CA. CAs under the subordinate CAs in the hierarchy have

their CA certificates signed by the higher-level subordinate CAs.

Figure 40 Sample Hierarchy of CAs

Certificate Chains

CA hierarchies are reflected in certificate chains. A certificate chain is series of

certificates issued by successive CAs. Figure 41 shows a certificate chain

leading from a certificate that identifies some entity through two subordinate

CA certificates to the CA certificate for the root CA (based on the CA

hierarchy shown in Figure 40).

Marketing CA

Root CA

Subordinate CA

US CA

Europe CA

Sales CA

Admin CA

Asia CA

Subordinate CA

Certificate issued

by Admin CA