Definitions
See below for a definition of the main PKIaaS-related concepts.
- Agent
- Applicant
- Activation data
- Agreement
- Certificate
- Certificate authority
- Certificate authority certificate
- Certificate profile
- Certificate revocation
- Certificate Revocation List
- Certificate Signing Certificate
- Certification Practice Statement
- Cryptographic Module
- Customer
- Digital signature
- Distinguished Name
- Key pair
- Public cloud
- Object identifier
- Online Certificate Status Protocol
- OCSP responder
- Partition
- PKI certificate
- Public Key Cryptography
- Public Key Infrastructure
- Region
- Registration Authority
- Relying party
- Repository
- Request for comments
- Subject
- Subject Alternative Name
- Subscriber
- Subscription
- Trusted role
- Validity period
- X.500
- X.509
Agent
An agent is a lightweight, stateless virtual machine deployed in your local environment for Automating WSTEP enrollment. Since Entrust PKIaaS is cloud‑hosted, the agent provides the required local network presence without requiring the CA itself to be on‑premises.
Applicant
An applicant is a person, entity, or organization applying for the issuance or renewal of a certificate.
Activation data
Activation data are values, other than keys, that are required to operate cryptographic modules and that need to be protected – for example:
- PIN
- passphrases
- manually-held key share
Agreement
An agreement is a legally binding contract for PKIaaS comprising:
- The PKIaaS terms of use.
- The PKIaaS schedule.
- The Entrust General Terms and Conditions provided with the PKIaaS Schedule at https://www.entrust.com/-/media/documentation/licensingandagreements/certificate-solutions-general-terms.pdf
- An order for PKIaaS as defined in the General Terms.
Certificate
A certificate is a digital document issued by the CA that, at a minimum, meets the following:
- Identifies the CA issuing it.
- Names or otherwise identifies a Subject.
- Contains a Public Key of a Key Pair.
- Identifies its Operational Period.
- Contains a serial number and is digitally signed by a CA.
Certificate authority
A Certificate Authority (CA), or simply Authority, is a trusted entity that issues, manages, and revokes certificates. See below for the supported types.
| CA type | Own certificate | Certified entities |
|---|---|---|
| Root | Self-signed | Intermediate or issuing subordinate CA |
| Intermediate | Signed by a root or intermediate subordinate CA | Intermediate or issuing subordinate CA |
| Issuing | Signed by a root or intermediate subordinate CA | End-entities (like servers, clients, or software applications) |
Certificate authority certificate
A certificate authority certificate is a digital document that verifies the authenticity of the public key owned by a certificate authority. This certificate is essential because it allows the CA to securely issue, sign, and validate other digital certificates.
Certificate profile
A certificate profile is a set of properties for the certificates issued by a CA – for example:
- Certificate extensions like the key usage
- The supported key and signature algorithms
For a CA to issue a certificate, the certificate request must indicate a certificate profile enabled in the CA.
ℹ See Authority certificate profiles and Subscriber certificate profiles for a list of the default profiles.
Certificate revocation
Certificate revocation is the permanent invalidation of a certificate from a specific time onward. Revocation includes:
- Listing the certificate in a CRL.
- Preventing users from accessing the certificate once connected to the central infrastructure.
Certificate Revocation List
A Certificate Revocation List (CRL) is a time-stamped list of the serial numbers of certificates revoked before their expiration.
Certificate Signing Certificate
A Certificate Signing Certificate is a digital certificate used by a Certificate Authority (CA) to sign other certificates.
Certification Practice Statement
The Certification Practice Statement (CPS) states the practices for a CA to issue, manage, revoke, renew, or re-key certificates.
Cryptographic Module
A Cryptographic Module is a software, device, or utility for:
- Generating key pairs,
- Storing cryptographic information.
- Performing cryptographic functions.
Customer
The customer is the entity that has entered into a PKIaaS Agreement with Entrust.
Digital signature
A digital signature is the transformation of an electronic record by one person using private and public key cryptography so that another person having the corresponding public key can determine whether:
- The record transformation was created using the private key corresponding to the public key.
- The record has been altered since the transformation was made.
Distinguished Name
A Distinguished Name (DN) is a unique identifier for locating a subject in an ITU/CCITT X.500 directory. Entrust PKIaaS has no restriction on distinguished names per certificate profile, and all certificate profiles support the following identifiers.
| Alias | OID |
|---|---|
CN, CommonName |
2.5.4.3 |
SN, SurName |
2.5.4.4 |
SERIALNUMBER, DeviceSerialNumber |
2.5.4.5 |
C, Country |
2.5.4.6 |
L, Locality |
2.5.4.7 |
ST, S, State |
2.5.4.8 |
STREET, StreetAddress |
2.5.4.9 |
O, Org, Organization |
2.5.4.10 |
OU, OrganizationalUnit, OrganizationUnit, OrgUnit |
2.5.4.11 |
T, Title |
2.5.4.12 |
BUSINESSCATEGORY |
2.5.4.15 |
POSTALCODE |
2.5.4.17 |
givenName G |
2.5.4.42 |
I, Initials |
2.5.4.43 |
ORGANIZATIONIDENTIFIER |
2.5.4.97 |
UID |
0.9.2342.19200300.100.1.1 |
DC DomainComponent |
0.9.2342.19200300.100.1.25 |
Email, E |
1.2.840.113549.1.9.1 |
unstructuredName |
1.2.840.113549.1.9.2 |
unstructuredAddress |
1.2.840.113549.1.9.8 |
JurisdictionOfIncorporationLocalityName |
1.3.6.1.4.1.311.60.2.1.1 |
JurisdictionOfIncorporationStateOrProvinceName |
1.3.6.1.4.1.311.60.2.1.2 |
JurisdictionOfIncorporationCountryName |
1.3.6.1.4.1.311.60.2.1.3 |
TrademarkOfficeName |
1.3.6.1.4.1.53087.1.2 |
TrademarkCountryOrRegionName |
1.3.6.1.4.1.53087.1.3 |
TrademarkRegistration |
1.3.6.1.4.1.53087.1.4 |
LegalEntityIdentifier |
1.3.6.1.4.1.53087.1.5 |
WordMark |
1.3.6.1.4.1.53087.1.6 |
MarkType |
1.3.6.1.4.1.53087.1.13 |
StatuteCountryName |
1.3.6.1.4.1.53087.3.2 |
StatuteStateOrProvinceName |
1.3.6.1.4.1.53087.3.3 |
StatuteLocalityName |
1.3.6.1.4.1.53087.3.4 |
StatuteCitation |
1.3.6.1.4.1.53087.3.5 |
StatuteURL |
1.3.6.1.4.1.53087.3.6 |
Key pair
A key pair comprises two mathematically related cryptographic keys with the following properties.
- A message encrypted with one key can only be decrypted with the other.
- Even knowing one key, it is believed to be computationally infeasible to discover the other key.
These keys are referred to as the private key and the public key, with the following uses.
| Key | Description | Sign | Verify signature | Encrypt | Decrypt |
|---|---|---|---|---|---|
| Private | Sensitive key protected by the subject and kept secret | ✔ | ❌ | ❌ | ✔ |
| Public | Non-sensitive key disclosed in the certificate | ❌ | ✔ | ✔ | ❌ |
Public cloud
The public cloud is a collection of computing services offered by third-party providers over the public Internet.
Object identifier
An Object Identifier (OID) is a unique alphanumeric identifier registered under the ISO registration standard to reference a specific object or object class. In this document, OIDs uniquely identify certificates and cryptographic algorithms.
Online Certificate Status Protocol
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of a digital certificate. Unlike a Certificate Revocation List (CRL), which requires downloading and checking a potentially large list of revoked certificates, OCSP allows validating the status of a certificate in real time.
OCSP responder
An OCSP responder is a service that responds to certificate status requests with one of three responses.
- Valid
- Invalid
- Unknown
Partition
A partition is a dedicated and secure environment within the PKIaaS platform for a customer to manage and run a PKI. Each partition ensures the customer’s data, operations, and resources are separate and protected while supporting scalability and customization.
To create a partition, assign your Subscription to a Region.
PKI certificate
A PKI certificate is a certificate issued according to the PKIaaS Certification Practice Statement.
Public Key Cryptography
Public Key Cryptography, also known as asymmetric cryptography, is a type of cryptography that uses a Key pair rather than a single key to secure data authentication and confidentiality.
Public Key Infrastructure
A Public Key Infrastructure (PKI) comprises the architecture, technology, practices, and procedures supporting a security system that uses certificates and public key cryptography.
Region
Each Entrust PKIaaS region defines:
- A legal boundary for:
- Regulatory requirements
- Jurisdiction
- A physical location for:
- Performing cryptographic operations
- Storing private keys
- Enforcing data‑residency requirements
Typically, you choose a region based on:
- Where regulated data is required to reside
- The geographic location of your users and devices
- Legal and jurisdictional requirements for protecting cryptographic keys
- Disaster‑recovery, auditing, and compliance considerations
Assigning your Subscription to a region results in a Partition.
Registration Authority
A Registration Authority (RA) is an individual, organization, or process responsible for verifying the identity of a subscriber.
Relying party
A relying party is an individual or legal entity that relies on a certificate or any digital signature verified using that certificate.
Repository
A repository is an online system for storing and retrieving certificates and other information relevant to certificates, including certificate validity or revocation information.
Request for comments
A Request for Comments (RFC) is a document series for communicating information about the Internet.
- The IAB (Internet Architecture Board) designates some RFCs as Internet standards.
- Most RFCs document protocol specifications like Telnet and FTP.
Subject
The subject is the individual, legal entity, organization, or device identified in a certificate. The subject holds the private key corresponding to the public Key in the certificate.
Subject Alternative Name
A Subject Alternative Name (SAN) is an X.509 digital certificate extension that allows multiple identities (like domain names, IP addresses, email addresses, or URIs) to be associated with a single certificate. This feature is particularly useful for securing multiple domains or subdomains with a single SSL/TLS certificate, providing flexibility and reducing the need for multiple certificates.
Subscriber
The subscriber is the person, legal entity, or organization that has applied for and has been issued a certificate. Before the identity verification and issuance of a certificate, a subscriber is an applicant.
Subscription
A subscription is a prepaid inventory of PKI products purchased by the customer. To utilize this inventory, you must convert your subscription into a Partition by assigning it to a Region.
Trusted role
A trusted role is a role for employees or contractors with authorized access to or control over PKIaaS.
Validity period
The validity period of a certificate is the intended term of validity of a certificate. This period begins with the latter of the following dates:
- The date of issuance stated in the “Issued On” certificate field.
- The date stated in the “Valid From” or “Activation” certificate fields.
The period ends with the earlier of the two dates:
-
The expiration date stated in the “Valid To” or “Expiry” certificate fields.
-
The revocation date asserted in the CRL. This CRL is published in the distribution point within the certificate.
X.500
X.500 is a series of computer networking standards covering electronic directory services, like:
- Directory access protocol (DAP)
- Directory system protocol (DSP)
- Directory information shadowing protocol (DISP)
- Directory operational bindings management protocol (DOP)
X.509
X.509 is a standard of the ITU-T (Technical committee of the International Telecommunication Union) for public key certificates and certification path validation.