1

I'm trying to set up OpenVPN and I'm a bit confused about the terms.

From what I've read, a PKI consists of:

  • A separate certificate (also known as a public key)
  • A private key for the server and each client.

That part I'm fine with and I understand.

The second part of a PKI, and the part I'm having a bit of trouble understanding due to all the different terms is about the Certificate Authority (CA).

The documentation says

Generate the master Certificate Authority (CA) certificate & key

In this section we will generate a master CA certificate/key, a server certificate/key certificate and key which is used to sign each of the server and client certificates.

The terms I have heard thrown around and part of what confused me is people referring to

  • Master keys
  • Root Certificates
  • Certificate Authority private keys
  • Certificate Authority keys
  • Certificate Authority certificates

I'm not sure if several of these are all referring to the same thing but the Certificate Authority has me very confused.

Why does the certificate Authority have keys in the first place? I thought the job of the Certificate Authority was to sign keys on servers and clients. Does the CA also need a private key in this process? Is this private key with people referring to when they talk about master keys or root certificates. And are these root certificates the same thing as private keys?

I've been through several web pages and I'm still having trouble understanding the CA.

johnramsden
  • 125

2 Answers2

0

In this section we will generate a master CA certificate/key, a server certificate/key certificate and key which is used to sign each of the server and client certificates.

That... I'm guessing that's just the result of copy&paste accidentally mashing two different paragraphs together. It should be like this:

"In this section we will generate a master CA certificate/key which is used to sign each of the server and client certificates."

Why does the certificate Authority have keys in the first place? I thought the job of the Certificate Authority was to sign keys on servers and clients.

Well, yes, and that's exactly what the keys are for – all common types of digital signatures require a keypair. TLS clients & servers use their keys to sign the connection "handshake" data, while CAs use their keys to sign the issued certificates.

Is this private key with people referring to when they talk about master keys or root certificates. And are these root certificates the same thing as private keys?

Close, but no. Certificates only hold the public half of the keypair, along with some extra information (owner name, issuer name and signature, &c.). So they are never the same thing as private keys, but they do always come in matching pairs.

If someone signs a file with their private key, you can verify the signature against the public key stored in their certificate. For example, all issued certs are signed by the CA's private key, and verified against the CA's certificate.

(The CA's own certificate is signed by itself, but there's no point in actually verifying it, since it was explicitly configured as a trusted root.)

So in the end, all the terms you listed refer to the same thing – your new CA has one keypair (a private key and a matching certificate), and uses it to sign all issued certs.

u1686_grawity
  • 452,512
0

Here are some good articles about how certificate works. It will be helpful for understanding digital certificate:

What are certificates

How certificate works

Steven Lee - MSFT
  • 923