Securing PKI: Appendix D: Glossary of Terms


Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012

For the NIST glossary of terms, refer to Glossary of Security Information Terms in NISTIR 7298 Rev. 2.

The Microsoft Security Glossary is located at

The Windows Server 2008 R2® glossary is located at

Policy Terms


Term Definition

Asset Owner

The creator, generator, originator, or primary possessor of an Asset, or agent(s) to which the Asset Owner has given consent to act as a fiduciary with regard to specific assets, according to a documented agreement.

Certificate Policy (CP)

A specialized form of administrative policy tuned to electronic transactions performed during certificate management. A Certificate Policy addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates. Indirectly, a certificate policy can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications.

Certificate-Related Information

Information, such as a subscriber's postal address, that is not included in a certificate. May be used by a CA managing certificates.

Certification Practice Statement (CPS)

A statement of the practices that a CA employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services).

Key Recovery

Mechanisms and processes that allow authorized parties to retrieve the cryptographic key used for data confidentiality.

Online Certificate Status Protocol (OCSP)

An online protocol used to determine the status of a public key certificate.

Rekey (a certificate)

To change the value of a cryptographic key that is being used in a cryptographic system application; this normally entails issuing a new certificate on the new public key.

Renew (a certificate)

The act or process of extending the validity of the data binding asserted by a public key certificate by issuing a new certificate.

Revoke a certificate

To prematurely end the operational period of a certificate effective at a specific date and time.

Standard Operating Procedure (SOP)

A document that describes how to implement a configuration or execute a process that is considered mandatory for a specific PKI. SOPs serve as the documented record of a given team's compliance with relevant Policy and/or requirement statements.


Mandatory prerequisites for all PKIs. Standards are subordinate to Policy statements, and are designed to provide more explicit definition of Policy intent.

Update (a Certificate)

The act or process by which data items bound in an existing public key certificate, especially authorizations granted to the subject, are changed by issuing a new certificate.

PKI Objects


Term Definition

Active Directory® Certificate Services

Active Directory® Certificate Services (AD CS) is an Identity and Access Control security technology that provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies.

Authority Information Access (AIA)

Specifies where to find up-to-date certificates for the CA.

(Certificate) Repository

A database containing information and data relating to certificates as specified in a CP; may also be referred to as a directory.

(Certificate) Trust List

The collection of trusted certificates used by Relying Parties to authenticate other certificates.

Certificate Chain (Certification Path)

A chain of certificates consisting of the subscriber certificate, issuing CA certificate, intermediate CA certificate(s) and the root CA certificate.

Certificate Profile

Detailed description of the structure, components, and the origin of the data in the certificate

Certificate Revocation Lists (CRLs)

A list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted

Certificate Status Service

A trusted entity that provides online verification to a Relying Party of a subject certificate's trustworthiness, and may also provide additional attribute information for the subject certificate.

CRL Distribution Points (CDPs)

The location where you can download the latest CRL.

Encryption Certificate

A certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes.

Extended Key Usage (EKU)

Defines what a certificate will be used for.

Hardware Security Module (HSM)

A hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptographic operations processing.

Intermediate Certification Authority

A CA that is subordinate to another CA, and has a CA subordinate to itself.

Issuing Certification Authority

A subordinate CA that issues certificate to end user and computers (certificate subjects).

Object Identifier (OID)

A globally unique value associated with an object to unambiguously identify it used in Abstract Syntax Notation (ASN.1)

Registration Authority (RA)

A trusted entity that establishes and vouches for the identity of a Subscriber to a CA. The RA may be an integral part of a CA, or it may be independent of a CA, but it has a relationship to the CA.

Root Certification Authority

The CA at the top of a PKI hierarchy that is explicitly trusted by all subscribers and relying parties whose public key serves as the most trusted datum (i.e., the beginning of trust paths) for a security domain.

Self-signed Certificate

A certificate that 1: uses its public key to verify its own signature; 2: the subject name is identical to the issuer name.

Signature Certificate

A public key certificate that contains a public key intended for verifying digital signatures rather than encrypting data or performing any other cryptographic functions.

Subordinate Certification Authority

A CA whose certificate signature key is certified by another CA, and whose activities are constrained by that other CA.

Superior Certification Authority

A CA that has certified the certificate signature key of another CA, and who constrains the activities of that CA.

See Also

Securing Public Key Infrastructure (PKI)
Securing PKI: Introduction
Securing PKI: Planning a CA Hierarchy
Securing PKI: Physical Controls for Securing PKI
Securing PKI: PKI Process Security
Securing PKI: Technical Controls for Securing PKI
Securing PKI: Planning Certificate Algorithms and Usages
Securing PKI: Protecting CA Keys and Critical Artifacts
Securing PKI: Monitoring Public Key Infrastructure
Securing PKI: Compromise Response
Securing PKI: Appendix A: Events to Monitor
Securing PKI: Appendix B: Certification Authority Audit Filter
Securing PKI: Appendix C: Delegating Active Directory PKI Permissions
Securing PKI: Appendix E: PKI Basics
Securing PKI: Appendix F: List of Recommendations by Impact Level
Security and Protection
Secure Windows Server 2012 R2 and Windows Server 2012