Apple 10.6 manual Certificates, About Certificate Authorities CAs

Web, mail, and directory services use the public key with SSL to negotiate a shared key for the duration of the connection.

For example, a mail server will send its public key to a connecting client and initiate negotiation for a secure connection. The connecting client uses the public key to encrypt a response to the negotiation. The mail server, because it has the private key, can decrypt the response. The negotiation continues until the mail server and the client have a shared secret to encrypt traffic between computers.

Certificates

A certificate is an electronic document that contains a public key with identification information (name, organzation, email address, and so on). In a public key environment, a certificate is digitally signed by a Certificate Authority, or its own private key (the latter being a self-signed certificate).

A public key certificate is a file in a specified format (Mac OS X Server uses the x.509 format) that contains:

ÂÂ The public key half of a public-private key pair

ÂÂ The key user’s identity information, such as a person’s name and contact information

ÂÂ A validity period (how long the certificate can be trusted to be accurate)

ÂÂ The URL of someone with the power to revoke the certificate (its revocation center)

ÂÂ The digital signature of a CA, or the key user

About Certificate Authorities (CAs)

A CA is an entity that signs and issues digital identity certificates claiming that a party is correctly identified. In this sense, a CA is a trusted third party used by other parties when performing transactions.

In x.509 systems such as Mac OS X, CAs are hierarchical, with CAs being certified by higher CAs, until you reach a root authority. A root authority is a CA that’s trusted by the parties, so it doesn’t need to be authenticated by another CA. The hierarchy of certificates is top-down, with the root authority’s certificate at the top.

A CA can be a company that signs and issues a public key certificate. The certificate attests that the public key belongs to the owner recorded in the certificate.

In a sense, a CA is a digital notary public. You request a certificate by providing the CA with your identity information, contact information, and the public key. The CA then verifies your information so users can trust certificates issued for you by the CA.