Root and Subordinate CAs

If there were only a few CAs in the world, they would soon become overloaded. In fact, there are many. But how does a new CA show its trustworthiness? Usually, by applying for and being granted a certificate from one of the established CAs. A CA certified by another is called a subordinate CA.

A CA that is not certified by any other, but relies solely on its own reputation, is called a root CA. Even a root CA needs a certificate (we'll see below why), and the format of a certificate requires that it be signed, so they create and sign their own certificate. This is called a self-signed certificate or a root certificate.

Similarly, in a large organization, there might be subordinate CAs - for example, each department might run its own CA, each certified by the organization's root CA.

Also, a big CA such as those on the Internet might find that to cope with demand they need several CA machines. Each of these is a subordinate CA, with a certificate granted by one root CA machine.

A subordinate CA can itself certify subordinate CAs, so the standard format for a certificate includes a record of a chain of CAs, each certified by the next, back to a root CA. This chain of certificates is called the certification path. Thus a PKI is hierarchical. You trust the certificate if you know and trust any of the CAs on the certification path.

So in contrast to the web of trust described earlier, a PKI is a tree of trust, with one or more root CAs at the top, subordinate CAs below them and the actual users (client or server) at the bottom.

In a minor departure from this hierarchical nature, CAs can also cross-certify each other. For example, two government departments might each have its own PKI, with its own CA. Within each department, every member has been vetted and then certified by the relevant CA. They might then find that members of the two departments frequently need to communicate with each other. To establish trust between all the members of the two departments, effectively linking the two PKI's into one, all that is needed is for the two CAs to grant each other certificates.