Authenticating and Enrolling with the CA
If you want to use a new CA as a trusted entity, and want to request and receive your own identity certificate from this CA, it is really a two-step process:
Step 1. The first step is to authenticate the CA server, or in other words trust the CA server. Unfortunately, if you do not have the public key for a CA server, you cannot verify the digital signature of the CA server. This is sort of like the chicken and the egg story, because you need the public key, which can be found in the root’s CA certificate, but you cannot verify the signature on a certificate until you have the public key.
To get the ball rolling, you could download the root certificate and then use an out-of-band method, such as making a telephone call, to validate the root certificate. This can be done after downloading the root certificate and looking at the hash value, calling the administrators for the root CA and asking them to verbally tell you what the hash is. If the hash that they tell you over the phone matches the hash that you see on the digital certificate (and assuming that you called the right phone number and talked with the right people), you then know that the certificate is valid, and you can then use the public key contained in a certificate to verify future certificates which are signed by that CA. This process of getting the root CA certificate installed is often referred to as authenticating the CA. Current web browsers automate this process for well-known CAs.
Step 2. After you have authenticated the root CA and have a known good root certificate for that CA, you can then request your own identity certificate. This involves generating a public-private key pair and including the public key portion in any requests for your own identity certificate. An identity certificate could be for a device or person. Once you make this request, the CA can take all of your information and generate an identity certificate for you, which includes your public key, and then send this certificate back to you. If this is done electronically, how do you verify the identity certificate you got is really from the CA server that you trust? The answer is simple because the CA has not only issued the certificate but it also signed the certificate. Because you authenticated the CA server earlier and you have a copy of its digital certificate with its public key, you can now verify the digital signature it has put on your own identity certificate. If the signature from the CA is valid, you also know that your certificate is valid and so you can install it and use it.
