Skip to main content

Cross certificate

A cross-certificate enables the use of certificates across the boundaries of different public key infrastructures (PKIs).

Info

PKIs are cryptographic systems that can issue and verify digital certificates.

Digital communication is secured by certificates issued in this way.

What is a cross certificate?

A mutual trust relationship between two certificate authorities requires each certificate authority to issue a certificate to the other to establish the relationship in both directions. After two certification authorities establish trust conditions and issue certificates to each other, entities within the separate PKIs can interact according to the policies specified in the certificates.

Pro
  • A cross-certificate is used to link public key infrastructures
  • These are limited to a single domain at a time
  • Cross-certificates allow PKI applications to achieve synergy and thus greater business value
Contra
  • Even in the case of simple models, there may not be two exactly matching certificate policies of two domains
  • Then the question arises whether the equation of policies via cross-certificates is justified
  • The number of bilateral cross-certificates increases quadratically with the number of certificate authorities.

Example: 20 instances means 380 (20 * 19) cross-certificates between these entities.

Bridge Certification

One solution for an excessive number of cross certificates is a bridge certification. A bridge certification authority exchanges cross certificates with all participating instances. In this way, the certificates of each encryption infrastructure can be traced back to the certificates of each other participating encryption infrastructure via the cross certificates of the bridge certification authority. The bridge certification authority thus forms a hub for the trust relationships of the participating PKIs.

Here you can find an informative article from the German Federal Office for Information Security on this topic:
https://www.bsi.bund.de/DigitaleGesellschaft/ElektronischeSignatur/Zertifikate


Do you have any more questions?

Please contact us


Further contents