The primary focus of this chapter has been the structure and semantics of the X.509 Version 3 public-key certificate and the need for certification in order to maintain the integrity and trustworthiness of the certificate itself. The Version 3 X.509 public-key certificate is by far the preferred choice for the enterprise domain, and it is quickly becoming widely accepted in other environments such as the Internet. This chapter also introduced a number of other certificate types (which may or may not be encountered in wide-scale implementation practice).
We also addressed the importance and role of the CA and RA components. A CA is responsible for issuing certificates in accordance with one or more Certificate Policies. The CA may also be responsible for end-entity registration, although one or more RAs can implement this function separately. Deploying one or more RAs reduces cost and enhances the overall scalability of a large-scale PKI.
A full understanding of certificates and certification requires familiarity with two related topics: the details regarding key/certificate life-cycle management (see Chapter 7) and the concepts associated with trust models and certification path processing. (See Chapter 9.)