Certificate Distribution

Certificate Servers

A certificate server, also called a cert server or a key server, is a database service running on an existing or dedicated server that allows users to submit and retrieve digital certificates. The cert server typically offers additional administrative features that allow the company to implement and maintain its security policies. For example, the cert server can be configured to allow only certain types of keys to be stored.

Public Key Infrastructures (PKI)

A Public Key Infrastructures (PKI) includes the storage capabilities of a certificate server, but it also provides additional certificate management functions, such as the capability to issue, store, retrieve, revoke, and trust certificates. A powerful feature of a PKI system is the concept of a Certification Authority (CA). CAs are responsible for managing certificate requests and issuing certificates to participating IPSec network peers. These services provide centralized key management for the participating peers. CAs simplify the administration of IPSec network devices (peers) in networks containing multiple IPSec-compliant devices, such as with the Cisco Secure PIX Firewall units and Cisco routers.

The CA creates the digital certificate, and then digitally signs it using its own private key. Any CA client can then use the shared CA public key to authenticate a certificate’s digital signature and, thereby, the integrity of the certificate contents, including the certificate holder public key and the identity of the certificate holder.

Conceptually, the CA functions in the digital environment much like the government passport or driver’s license office in the nondigital world.