Root Certificate Authority
The Root Certificate Authority is the trust anchor for digital certificates and can issue multiple certificates in a tree structure format. In locating where to place the Root CA, the root certificate, which is the highest ranked certificate, has to be put into contemplation since it bears the private key used to sign other certificates. The root certificate trustworthiness is inherited by other certificates below it on the tree since its signature is analogous and its public key should be extensively and reliably available. A root CA has to have a group of trustees who will assure others about the trustworthiness of the root certificate. The ownership, management and functionality of a root CA has to be impressive so as to make its provenance doubtless (Khnaser & Hunter, 2004). In addition, the types of roles that the CA will be responsible for are vital.
Various reasons can force the Certificate Authority administrator to revoke the certificate. To begin with a revocation can occurs when the validity period expires, when the subject of the certificate requests for cancellation or decides to leave the organization or even when the administrator has the mandate to annul the root certificate. In another case, the certificate owner may change his/her and name. This discredits the ownership right to use the certificate since he can no longer meet the certificate policy’s obligations thus calling for a revocation.
Another compelling cause of certificate withdrawal is if the public key is compromised which must be followed by a Certificate Revocation List (CRL) providing the entity checking CRLs with the latest updates of the revocation information (Khnaser & Hunter, (2004). A change of association between the certificate owner and the Certificate Authority may crop up and this invalidates the certificate. Finally, revocation also occurs if the CA realizes that the certificate had not been issued according to certificate issuance policy.
Khnaser, E. & Hunter, L. (2004). MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298. Syngress.