Certification Authority (CA)

An authority trusted by one or more users to create and assign public key certificates. Optionally the CA may create the user's keys. It is important to note that the CA is responsible for the public key certificates during their whole lifetime, not just for issuing them.


A certificate for one CA's public key issued by another CA.

Certificate policy

A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range.

Certificate subject

The entity (person, organization, or server) whose public key is certified in the certificate.

Certification path

An ordered sequence of certificates which, together with the public key of the initial object in the path, can be processed to obtain that of the final object in the path.

Certification Practice Statement

A statement of the practices which a certification authority employs in issuing certificates.

Certificate revocation list

A CRL is a time stamped list identifying revoked certificates which is signed by a CA and made freely available in a public repository.

End entity

A person or resource that needs to have their public key certified.


Any autonomous element within the Public Key Infrastructure. This may be a CA, an RA, or an End-Entity.

Issuing certification authority

In the context of a particular certificate, the issuing CA is the CA that issued the certificate (see also Subject certification authority).

Public Key Certificate

A data structure containing the public key of an end entity and some other information, which is digitally signed with the private key of the CA which issued it.

Registration authority

An entity that is responsible for identification and authentication of certificate subjects, but that does not sign or issue certificates (i.e., an RA is delegated certain tasks on behalf of a CA).

Relying party

A recipient of a certificate who acts in reliance on that certificate and/or digital signatures verified using that certificate. In this document, the terms "certificate user" and "relying party" are used interchangeably.

Subject certification authority

In the context of a particular CA-certificate, the subject CA is the CA whose public key is certified in the certificate


In the case of certificates issued to resources (such as web servers), the person responsible for the certificate for that resource. For certificates issued to individuals, same as certificate subject.