The issue of Key Management is an important consideration when selecting any CA system. To understand the importance of this subject, you must first understand the real difference between the key-pair and the certificate. The key-pair is used to provide the authentication and the unique identity of the end user. The certificate, that is used to sign this key-pair, tells you that it is valid and ‘not out of date’. Together the key-pair and the certificate create the ‘package’ that makes up the digital certificate.
When considering whether you need (or want) Key Management, you should clearly understand the total environment that your digital certificates will be used in and, in particular, your end users. This requires that you pay special attention to the following three ‘Top Considerations’ when selecting the correct CA for you:
Three Top Considerations
The Fourth Top Consideration
Certificate/Key Backup can be a valuable service where there is a risk that if a user looses their digital certificate, or if the certificate is corrupted for any reason, this may cause serious issues for the CA administrator, or the organisation. Typically, this concern only exists where a user certificate is being used to encrypt data. With Certificate Backup, the user can request a replacement for the lost keys that were used when their digital certificate was generated.
Certificate/Key Backup can be likened to leaving the spare key for your house with a trusted neighbour so that if anything happens to the original, you know you have a spare. This type of help from your trusted neighbour could also be referred too as key backup. Alternatively and using the same analogy, it might be just as good to have a backup key stored elsewhere. The CA equivalent of this is called the digital certificate backup.
Backing up computer data is now understood as a routine responsibility and including the user’s digital certificate backup in this routine is a simple task that your network administrator should provide for you on request.
Key Management is often mistakenly linked to the Certificate/Key Backup service and should be clearly understood as a separate service that many CAs provide so that users can manage multiple key-pairs and certificates.
Key Management is only necessary when users have multiple Keys and this only occurs when the Disposable Binding Option (see sub sections 3.8.4 and 126.96.36.199) is chosen. To understand why Key Management is only needed in these certain special cases, you must first understand the x.509 elements that are used when generating the digital certificate.
Understanding the principles of Dual Key Cryptography , the Public and Private Key form the key-pair that is used to authenticate the user. This key-pair is generated using the RSA algorithm and once created, the certificate signs the key-pair with the information that you see when you open the digital certificate. This singing procedure inextricably ‘binds’ the specific key-pair to the specific certificate that was used to sign it. This is what makes up the elements of the digital certificate.