Bob created a pair of asymmetric keys and a certificate that contained his credentials (his name, address, etc.).

Figure 11. Bob’s keys and self-signed server certificate

Bob’s server certificate was not yet signed by a CA. At this stage it is self-signed using his own private key. Notice that the Issuer and Subject are the same.

Bob sent this certificate to Cathy with a request that she verify his identity. (He probably also sent money with his request.) He did not send Cathy his private key.

As a CA, Cathy owns a pair of keys and a trusted root certificate.

Figure 12. Cathy’s keys and root certificate

Cathy’s root certificate is also a self-signed certificate. It serves as the top of the chain of trust. Cathy stores it on a computer that is not on the internet that is kept in a vault.

Figure 13. New server certificate for Bob

After thoroughly checking Bob’s credentials, Cathy extracted Bob’s public key and metadata from his self-signed certificate and created a new certificate with her name as the Issuer.

Notice how the Issuer and Subject are different from the self-signed certificate that Bob sent Cathy.

Cathy then used the private key of her root certificate to sign this new certificate.

Figure 14. Signed server certificate for Bob

Cathy compressed both the new server certificate and a copy of her root certificate containing only her public key (Figure 12) with password protection, put both on a website and emailed the links to Bob. The public key part doesn’t have to be protected and can be emailed.

Then she phoned Bob and gave him the password for the two compressed, password-protected files.

Bob expanded the files and imported his signed server certificate into the Key Store on his JACE. This action replaced his self-signed certificate. The imported certificate must match the certificate that created the CSR in the first place.

Finally, Cathy’s root certificate needs to be installed in Alice’s Trust Store. There are several ways for Alice to install Cathy’s root certificate in her Trust Store: