A PKI is an automated system that manages the generation, maintenance, and delivery of encryption and digital signature keys. Together, encryption and digital signature keys provide:

• Confidentiality - Data is obscured and protected from view or access by unauthorized individuals.
  
• Integrity - The verifier of a digital signature can easily determine whether or not digitally signed data has been altered since it was signed.
  
• Authentication - Users can securely identify themselves to other users and servers on a network without sending secret information (such as passwords) over the network.
  
• Non-repudiation - Users who digitally sign data cannot later successfully deny having signed that data.
  
• Access control - Data can only be accessed in a comprehensible form by those specifically identified when data was encrypted.

Both key types - encryption and digital signature - have two related components: a public key component that is accessible to all users, and a private key component that must be secured from access by others.

The public key and other identification information is stored in a digital certificate that is digitally signed by a Certification Authority (CA). The CA's digital signature on the digital certificate binds the identity of the end-entity with its public key. It also guarantees that the public key has not been tampered with.

To create a level of assurance or trust in the CA, certain policies and procedures must be followed. One of the main issues is the registration process, which involves how a client is identified and authenticated before a digital certificate is issued.

Certification Policy (CP)

Prior to using CRA PKI-enabled applications, participants should be aware of their rights, obligations and responsibilities contained in the CRA Certificate Policy (PDF, 881KB), especially sections 1.3.3, 1.4, 9.6.3, and 9.6.4.