Learn PKI vocabulary: CA hierarchy (root CA, intermediate CA), certificate signing requests (CSR), chain of trust, certificate revocation (CRL, OCSP), and self-signed certificates.
0 / 5 completed
1 / 5
Why do certificate authorities use intermediate CAs to issue end-entity certificates rather than signing directly with the root CA?
Root CA private keys are extremely sensitive — compromising one would invalidate trust in all certificates under that root. By keeping the root offline and delegating issuance to online intermediate CAs, the blast radius of a compromise is limited. Revoking an intermediate CA is far less disruptive than revoking a root.
2 / 5
A Certificate Signing Request (CSR) contains:
The CSR is generated on the server: a key pair is created, and the CSR packages the public key plus identifying details (CN, SANs, organisation). It is signed with the corresponding private key to prove the applicant controls it. The CA verifies identity, then signs the CSR to produce a certificate — the private key never leaves the server.
3 / 5
OCSP (Online Certificate Status Protocol) was introduced to address what limitation of CRLs?
A CRL (Certificate Revocation List) lists all revoked serial numbers — these files can grow to megabytes and are only published on a schedule (e.g., daily), so there is a window where a revoked certificate appears valid. OCSP lets a client query the CA's OCSP responder for a single certificate's status in real time. OCSP Stapling further improves this by having the server pre-fetch and cache the OCSP response.
4 / 5
What is a 'chain of trust' in the context of TLS certificates?
Browsers and OSes ship with a set of trusted root certificates. When a server presents its certificate, the client builds a chain: end-entity → intermediate CA → root CA. Each certificate's signature is verified using the issuer's public key. If the chain leads to a trusted root and no certificate is expired or revoked, trust is established.
5 / 5
A self-signed certificate differs from a CA-issued certificate in that:
Self-signed certificates provide encryption but no identity assurance — anyone can create one claiming to be any domain. They are appropriate for internal services, development environments, or testing. In production, a CA-signed certificate is required so users receive trusted identity verification without security warnings.