Trust Service Provider (TSP)

Trust Service Provider establish TRUST between communicating parties

• providing trusted identity information
• supporting secure authentication
• supporting integrity protected communication
• supporting encrypted communication

A subscriber (entity that wants a certificate) creates a CSR (Certificate Signing Request) and sends this to a CA (Certificate Authority). The CSR will have a Base64-PEM format.

The CA will then, in case of a positive assessment of the CSR, sign it and turn it into a X.509 Certificate.

Root CA: Trust Anchor of PKI. Every chain of trust should lead to one. The CA self signs it’s root CA.

Issuing CA/Intermediate CA/Subordinate CA: Issues certificates to end-entities.

CA (TSP) Legal and Technical Requirements

eIDAS Published Standards

Certificate Trust Store

Problem: Technically we could have 100s of root certificates on our machine. Now if one of them is compromised, automatically all certificates that lead up to it are trusted.

Certificate pinning

We choose one single root certificate to trust and all have to lead up to it. It has mostly been replaced by Certificate Transparency.