​Root CA

The root CA serves as your PKI trust anchor. This CA is a dedicated root CA for your company alone to use. Root CAs are not shared. You define the common name of your root, though we ask for a naming relationship with your company so that we can support you more easily. Your root CAs will issue certificates to your issuing CAs and OCSP services.

​Issuing CAs

You may have one or more issuing CAs. PKIaaS will support any number of use cases (and associated certificate profiles) on one issuer, or you can split the responsibility to multiple issuing CAs.

You will define Registration Authorities (RAs) that can issue certificates for all use cases supported by the issuing CA, so if you wish to have some division of responsibility, you may want to set up more than one issuing CA. These issuing CAs are subordinate to your root and issue certificates for subscribers.

Policy Authority

Entrust is the Policy Authority and is responsible for overseeing and setting policy and practices as applicable to the operation of the Certification Authorities.

Operational Authority

Entrust manages all root and issuing CA systems hosted and operated on your behalf, as part of PKIaaS. These systems issue and manage

• Certificates

• Certificate Revocation Lists (CRLs)

• OCSP responses

As the Operational Authority (OA), Entrust is responsible for all the operations of the CAs per the CPS.