cross-certification

The act or process by which a CA in one PKI issues a public- key certificate to a CA in another PKI. [X509] (See: bridge CA.)

Tutorial: X.509 says that a CA (say, CA1) may issue a "cross- certificate" in which the subject is another CA (say, CA2). X.509 calls CA2 the "subject CA" and calls CA1 an "intermediate CA", but

this Glossary deprecates those terms. (See: intermediate CA, subject CA).

Cross-certification of CA2 by CA1 appears similar to certification of a subordinate CA by a superior CA, but cross-certification involves a different concept. The "subordinate CA" concept applies when both CAs are in the same PKI, i.e., when either (a) CA1 and CA2 are under the same root or (b) CA1 is itself a root. The "cross-certification" concept applies in other cases:

First, cross-certification applies when two CAs are in different PKIs, i.e., when CA1 and CA2 are under different roots, or perhaps are both roots themselves. Issuing the cross-certificate enables end entities certified under CA1 in PK1 to construct the certification paths needed to validate the certificates of end entities certified under CA2 in PKI2. Sometimes, a pair of cross- certificates is issued -- by CA1 to CA2, and by CA2 to CA1 -- so that an end entity in either PKI can validate certificates issued in the other PKI.

Second, X.509 says that two CAs in some complex, multi-CA PKI can cross-certify one another to shorten the certification paths constructed by end entities. Whether or not a CA may perform this or any other form of cross-certification, and how such certificates may be used by end entities, should be addressed by the local certificate policy and CPS.