How important is a certificate to work as a paralegal?

How does a Certificate Authority work internally? What is the procedure to get a new CSR signed within minutes and yet keep the Root CA's private key "safe"?

• I mean: what happens since the customer sends a Certificate Signing Request created with her own private key until the CA returns the new signed certificate to the customer. Do the Root CA's private key (or the Intermediate CA's key) need to be in the same box as the CSR?

• Answer:

  What do you mean by getting a CSR "signed"? As I understand it, a CSR is serviced by a CA - after verifying the identity of the source of the CSR (through Kerberos, AD, etc), the CA decides whether or not to issue a cert to the requester. It uses it's private key to sign a new cert for the client, created using the public key specified in the request, and using the template specified (i.e. either update cert information from AD or from the request only, etc), and then sends back the signed certificate back to the client. Neither the client's nor the CA's private key is ever transmitted over the network. What do you imply by "master CA key"? Do you mean the Root CA's private key? That never needs to be on an intermediate CA box, and is usually kept separate and secure. Intermediate CAs are generally used to actually issue certs, not Root CAs. The private key of the issuing authority (the Intermediate CA) needs to be on the box, else you wouldn't be able to sign and issue certificates. Generalized protocol: 1. Client creates a public/private key pair. It encodes subject/SAN information, usage restrictions, public key, and other info into a CSR and sends it to the CA. 2. CA verifies that the origin of the CSR is authorized to enroll for certs for said purpose, and either uses the subject info in the request, or retrieves it from AD (this depends on the template used for the request) 3. CA creates a cert for the client, and signs it with it's private key. The cert is sent back to the client.