Digital certificates are electronic credentials that are used to certify the online identities of individuals, computers, and other entities on a network. Digital certificates function similarly to identification cards such as passports and drivers’ licenses. They are issued by certification authorities (CAs) that must validate the identity of the certificate holder, both before the certificate is issued and when the certificate is used. Common uses include business scenarios requiring authentication, encryption, and digital signing.
Data Protection Manager (DPM) supports the following types of certificates for media encryption:
- Self-signed certificates
- Imported certificates from certification authorities
In addition DPM supports backup and recovery of certificates.
Self-Signed Certificates
Self-signed certificates are not signed by a certification authority. These certificates ensure that encrypted Web connections are in place; however, they do not guarantee the identity of the organization that generated the certificate. Self-signed certificates are useful if the ability to encrypt data is more important than the ability to identify the issuing organization.
Imported Certificates
Certification authority (CA) certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs.
A certificate that is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust for a CA hierarchy.
After the trusted root has been established, it can be used to authorize subordinate CAs to issue certificates on its behalf.
Although the relationship between CAs is most commonly hierarchical, CA certificates can also be used to establish trust relationships between CAs in two different public key infrastructure (PKI) hierarchies.
In all of these cases, the CA certificate is critical to defining the certificate path and usage restrictions for all end entity certificates issued for use in the PKI.