Acting as a Certificate Authority

You can act as your own certification authority when a digital certificate is deployed internally (as is often the case with Uniface applications).

The certificate can be signed by a trusted employee or department in your organization that has the role of certificate authority for your organization. This internal certificate authority receives signing requests from other employees or departments, and sends a signed certificate back. The trusted CA certificate necessary to validate this certificate is subsequently made available company wide, perhaps on a shared network drive or by requiring users to add it to their local trust store or somewhere else on their system.

The internal authority needs a root CA certificate and its associated key. The CA root certificate is only ever used to create intermediate CA certificates, which are then used to sign certification requests. The CA root certificate and key are kept under lock and key, securely put away somewhere where no potential malicious hacker can get at it.

This is much more secure than using the root certificate to sign certification requests directly. If the key of an intermediate CA certificate is compromised all the certificates created with it can be revoked. The key of the root CA certificate is still secure, so another intermediate CA certificate can be issued with it, and the certificates that were revoked can be re-signed using the new secure intermediate certificate.

Related Topics