When deciding on whether the Managed CA or the CA Software is most suited to you, you should understand the difference between an open and a closed user group. From a CA perspective, this relates to the extent of end user control you have. If the CA exercises some degree of control over the end user’s environment then it is a closed user group and if it doesn’t, it is in an open group.

Digital certificates can be used in a variety of different security situations, however the common uses are for proving identity, digitally signing/sealing files and encrypting data. These important capabilities are integral parts of any secure environment.

In the same way that a Grandfather can be traced back from the Grandson (and if needed the true legal identity proven using DNA analysis); a web server certificate can be traced back to its Root and by definition this relationship is tested, verifiable and cannot be compromised.

All digital certificates come from a certificate Authority [CA] that is a computer system that is capable of issuing these different types of digital certificate.

Secure Socket Layer [SSL] server certificates are installed on a server. This can be a server that hosts a website like www.digi-sign.com, a mail server, a directory or LDAP server, or any other type of server that needs to be authenticated, or that wants to send and receive encrypted data.

The rules, methods and guidelines that specify how the digital certificate is distributed to the end user are documented in the Certificate Policy [CP]. The CP is the ‘Who, What, Where and How’ document that describes the principles of the digital certificate usage and how they are to be distributed. This CP is agreed before the CA is operational and all digital certificates must be deployed in accordance with the CP.

Public keys and Private Keys ‘recognize’ each other and because the public key can be freely distributed, the web server can store all the public keys belonging to its list of authorized users and match the Keys for users seeking access. This is called On-to-One authentication.