Definitions
See below for a definition of the main PKiaaS-related concepts.
Applicant
A person, entity, or organization applying for the issuance or renewal of a certificate.
Activation data
Data values, other than keys, that are required to operate cryptographic modules and that need to be protected – for example:
PIN
passphrases
manually-held key share
Agreement
A legally binding contract for PKIaaS comprising:
The PKIaaS terms of use.
The PKIaaS schedule.
The Entrust General Terms and Conditions provided with the PKIaaS Schedule at https://www.entrust.com/-/media/documentation/licensingandagreements/certificate-solutions-general-terms.pdf
An Order for PKIaaS as defined in the General Terms.
CA certificate
A certificate for the public key of a CA (Certificate Authority).
Certificate
A digital document issued by the CA that, at a minimum, meets the following:
Identifies the CA issuing it.
Names or otherwise identifies a Subject.
Contains a Public Key of a Key Pair.
Identifies its Operational Period.
Contains a serial number and is digitally signed by a CA.
Certificate revocation list (CRL)
A time-stamped list of the serial numbers of certificates that have been revoked before the expiration of their validity periods
Certification authority (CA)
The technology to create, issue, manage, and revoke certificates.
Certificate issuance
The act performed by a CA in creating a certificate listing with the CA as "Issuer".
Certification practice statement (CPS)
A statement of the practices for a CA to issue, manage, revoke, renew, or re-key certificates.
Cryptographic module
A software, device, or utility for:
Generating key pairs,
Storing cryptographic information.
Performing cryptographic functions.
Customer
The entity that has entered into a PKIaaS Agreement with Entrust.
Digital signature
The transformation of an electronic record by one person using a private key and public key cryptography so that another person having the corresponding public key can determine:
The record transformation was created using the private key corresponding to the public key.
The record has been altered since the transformation was made.
Distinguished name (DN)
The unique identifier for a subject so it can be located in a directory based on the ITU/CCITT X.500. PKIaaS has no restriction on distinguished names per certificate profile; all certificate profiles support the following identifiers.
|
Alias |
OID |
|
'CN' 'CommonName' |
2.5.4.3 |
|
'SN' 'SurName' |
2.5.4.4 |
|
'SERIALNUMBER' 'DeviceSerialNumber' |
2.5.4.5 |
|
'C' 'Country' |
2.5.4.6 |
|
'L' 'Locality' |
2.5.4.7 |
|
'ST' 'S' 'State' |
2.5.4.8 |
|
'STREET' 'StreetAddress' |
2.5.4.9 |
|
'O' 'Org' 'Organization' |
2.5.4.10 |
|
'OU' 'OrganizationalUnit' 'OrganizationUnit' 'OrgUnit' |
2.5.4.11 |
|
'T' 'Title' |
2.5.4.12 |
|
'BUSINESSCATEGORY' |
2.5.4.15 |
|
'POSTALCODE' |
2.5.4.17 |
|
'givenName' 'G' |
2.5.4.42 |
|
'I' 'Initials' |
2.5.4.43 |
|
'ORGANIZATIONIDENTIFIER' |
2.5.4.97 |
|
'UID' |
0.9.2342.19200300.100.1.1 |
|
'DC' 'DomainComponent' |
0.9.2342.19200300.100.1.25 |
|
'Email' 'E' |
1.2.840.113549.1.9.1 |
|
'unstructuredName' |
1.2.840.113549.1.9.2 |
|
'unstructuredAddress' |
1.2.840.113549.1.9.8 |
|
'JurisdictionOfIncorporationLocalityName' |
1.3.6.1.4.1.311.60.2.1.1 |
|
'JurisdictionOfIncorporationStateOrProvinceName' |
1.3.6.1.4.1.311.60.2.1.2 |
|
'JurisdictionOfIncorporationCountryName' |
1.3.6.1.4.1.311.60.2.1.3 |
|
'TrademarkOfficeName' |
1.3.6.1.4.1.53087.1.2 |
|
'TrademarkCountryOrRegionName' |
1.3.6.1.4.1.53087.1.3 |
|
'TrademarkRegistration' |
1.3.6.1.4.1.53087.1.4 |
|
'LegalEntityIdentifier' |
1.3.6.1.4.1.53087.1.5 |
|
'WordMark' |
1.3.6.1.4.1.53087.1.6 |
|
'MarkType' |
1.3.6.1.4.1.53087.1.13 |
|
'StatuteCountryName' |
1.3.6.1.4.1.53087.3.2 |
|
'StatuteStateOrProvinceName' |
1.3.6.1.4.1.53087.3.3 |
|
'StatuteLocalityName' |
1.3.6.1.4.1.53087.3.4 |
|
'StatuteCitation' |
1.3.6.1.4.1.53087.3.5 |
|
'StatuteURL' |
1.3.6.1.4.1.53087.3.6 |
Issuing Certification Authority (Issuing CA)
In the context of a particular certificate, the issuing CA is the CA that issued the certificate.
Key generation
The process of creating a key pair.
Key pair
Two mathematically related cryptographic keys with the following properties.
A message encrypted with one key can only be decrypted with the other.
Even knowing one key, it is believed to be computationally infeasible to discover the other key.
Public cloud
Computing services provided by third-party providers over the public Internet.
Object identifier (OID)
A unique alphanumeric identifier registered under the ISO registration standard to reference a specific object or object class. In this document, OIDs uniquely identify certificates and cryptographic algorithms.
Online certificate status protocol (OCSP)
A protocol to validate certificate statuses in real time.
OCSP responder
A service that responds to certificate status requests with one of three responses.
Valid
Invalid
Unknown
PKI certificate
A certificate issued pursuant to the PKIaaS Certification Practice Statement.
Private key
The sensitive key in the key pair protected by the subject and kept secret. The private key can:
Create digital signatures.
Decrypt data previously encrypted using the corresponding public key.
Public key
The non-sensitive key in the key pair. This key:
Is submitted as part of a certificate signing request by the subscriber
Is disclosed in the subsequently-issued certificate.
The public key can:
Verify digital signatures created using the corresponding private key.
Encrypt data meant for decryption with the corresponding private Keyk
Public key cryptography
A type of cryptography also known as asymmetric cryptography. This cryptography uses a key pair rather than a single key to secure data authentication and confidentiality.
Public key infrastructure (PKI)
The architecture, technology, practices, and procedures supporting a security system that uses certificates and public key cryptography.
Registration authority (RA)
An individual, organization or process responsible for verifying the identity of a subscriber.
Relying party
An individual or legal entity that relies on a certificate or any digital signature verified using that certificate.
Repository
An online system for storing and retrieving certificates and other information relevant to certificates, including certificate validity or revocation information.
Certificate revocation
A permanent invalidation of a certificate from a specific time onward. Revocation includes:
listing the certificate in CRL.
Preventing users from accessing the certificate once connected to the central infrastructure.
Request for comments (RFC)
A document series for communicating information about the Internet. Some RFCs are designated by the IAB (Internet Architecture Board) as Internet standards. Most RFCs document protocol specifications such as Telnet and FTP.
Root Certification Authority (Root CA)
A top-level CA. That is, a CA whose public key is not certified by another CA.
Subject
The individual, legal entity, organization, or device identified in a certificate. The subject holds the private key corresponding to the public Key in the certificate.
Subscriber
The person, legal entity, or organization that has applied for and has been issued a certificate. Before the identity verification and issuance of a certificate, a subscriber is an applicant.
Trusted Role
An employee or contractor with authorized access to or control over PKIaaS.
Validity period
The intended term of validity of a certificate, This period begins with the later of the following dates:
The date of issuance stated in the "Issued On" certificate field.
The date stated in the "Valid From" or "Activation" certificate fields.
The period ends with the earlier of two dates:
The expiration date stated in the "Valid To" or "Expiry" certificate fields.
The revocation date asserted in the CRL. This CRL is published in the distribution point within the certificate.
X.500
A series of computer networking standards covering electronic directory services such as:
Directory access protocol (DAP)
Directory system protocol (DSP)
Directory information shadowing protocol (DISP)
Directory operational bindings management protocol (DOP)
X.509
A standard issued by the ITU-T (Technical committee of the International Telecommunication Union) for public key certificates and certification path validation.