(In english only)

Introduction to certificates, CAs, PKI, and rationale for a own CA

CAs, and certificates are a key part of secure internet communication. For each device (server, firewall, client or other appliance), which you want to activate secure, encrypted communication and/or authentication, you need both private and public keys, and a certificate for them from "a trusted third party" certificate authority (CA). All this is part of what is also known as PKI, public key infrastructure.

Usually this "trusted third party" is a commercial company making certificates their business. Trivore Corp. Root CA is also acting as a "a trusted third party" via its Root CA. The commercial companies also have their root certificates preinstalled in most web browsers. Our root certificate is not preinstalled anywhere.

As the certificates by major companies are usually prohibitely expensive for more casual use, Trivore Corp. desided to create a root certificate authority (rootCA). There are other reasons to create a rootCA, too. We need certificates to our servers, and some of our customers need certificates for their servers. And then there is also the ubiquitous learning aspect: we wanted to know how it is done in the real world.

This Trivore rootCA is the key to all our PKI services. PKI is usually a hierarchical structure with three or more levels. We are not using client and server certificates certified at the Trivore rootCA level, but at any of the descending CAs below it.

The hierarchy currently has three levels: the rootCA (which is certified by itself - it wouldn't be a root otherwise), intermediate CAs (which are certified by the rootCA), and the host/server/firewall/client certificates (which are certified by the intermediate CAs).This kind of hierarchical structure is also known as chained.

For any of the intermediate CAs to be usable, their certificate and the rootCA certificate has to be imported to the browser accessing any services served by a server signed by such a CA. Hmm... Sounds a bit complicated :-| Read on!

For obvious reasons it is impossible for Trivore Corp. to be able to get our CA certificates imported to every browser in the existence. That is why, if you use our services, have to import our certificates manually once to every computer and browser you are using to access these services.

What you really need to import, are the rootCA certificate 1, and the certificate of the CA certifying the server/service you are using 2. With Trivore Corp. services, this second CA is usually "CA 01". It doesn't hurt much, if you import more CA certificates than you need, as long as they come from a reliable source. Trivore Corp. is a reliable source :-)

The Trivore CA certificates to import/install to the browser

The Trivore CA certificates are offered in three different formats. Depending on your browser, or other application, one or more of the links below should work. Most PC browsers like "PEM/.crt" certificates, but Nokia Communicator 9210/9210i/9290/9300/9300i/9500, and Nokia E series phones only seem to accept "DER/.der" certificates.

The main Trivore root CA certificate you need to import:
Trivore Corp. 4096-bit Root CA Certificate - 1  (base64 encoded X.509/PEM format, .crt extension).
Trivore Corp. 4096-bit Root CA Certificate - (DER encoded binary X.509 format, .der extension).
Trivore Corp. 4096-bit Root CA Certificate - (base64 encoded X.509/PEM format, .pem extension).

The Trivore public services CA you should import:
Trivore Corp. 4096-bit CA 01 Certificate - 2   (base64 encoded X.509/PEM format, .crt extension).
Trivore Corp. 4096-bit CA 01 Certificate - (DER encoded binary X.509 format, .der extension).
Trivore Corp. 4096-bit CA 01 Certificate - (base64 encoded X.509/PEM format, .pem extension).

The Trivore rare services CA you may import:
Trivore Corp. 4096-bit CA 02 Certificate - (base64 encoded X.509/PEM format, .crt extension).
Trivore Corp. 4096-bit CA 02 Certificate - (DER encoded binary X.509 format, .der extension).
Trivore Corp. 4096-bit CA 02 Certificate - (base64 encoded X.509/PEM format, .pem extension).

The Trivore external services CA you propably should import:
Trivore Corp. 4096-bit CA 03 Certificate - 3  (base64 encoded X.509/PEM format, .crt extension).
Trivore Corp. 4096-bit CA 03 Certificate - (DER encoded binary X.509 format, .der extension).
Trivore Corp. 4096-bit CA 03 Certificate - (base64 encoded X.509/PEM format, .pem extension).

The PEM/.crt above contains only the ASCII encoded certificate. The DER/.der above contains only a binary encoded certificate. The PEM/.pem above contains first human readable version of the certificate, and then the ASCII encoded certificate.

When you import/install the certificate, it is necessary with some browsers to choose the application of the certificate. Please select "web sites", and "email users" on a corresponding dialog.

Currently the rootCA, CA01, CA02, and CA03 key lengths are 4096 bits. This key length is currently considered very secure. It might even be so strong, that it slows down some older devices. If that is the case, please report us. Another rootCA with higher key length will propably be introduced in a few years time.

Trivore customers and partners may always request client, server, firewall, and even subordinate (intermediate) CA certificates for their own use. All what is needed is a valid Certificate Signing Request (CSR) in a .csr file. If required, we can handle the whole thing - for a fee, of course.

If you want to learn more on how to create and manage your own rootCA, create CSR, sign a certificate, manage a CRL, etc., please contact us.