Figure 105 shows the structure of a single-domain certificate authority.
Figure 105: PKI Hierarchy of Trust—CA Domain
If certificates are used solely within an organization, that organization can have its own CA domain within which a company CA issues and validates certificates for its employees. If that organization later wants its employees to exchange their certificates with those from another CA domain (for example, with employees at another organization that also has its own CA domain), the two CAs can develop cross-certification by agreeing to trust the authority of each other. In this case, the PKI structure does not extend vertically but does extend horizontally. See Figure 106.
Figure 106: Cross-Certification
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |