To clarify the differences between CA certificates, local certificates, and self-signature certificate certificates, this post introduces the concepts and descriptions of these certificates.
Type | Definition | Description |
Self-signed certificate | A self-signed certificate, which is also called root certificate, is issued by an entity to itself. In this certificate, the issuer name and subject name are the same. | If an applicant fails to apply for a local certificate from the CA, it can generate a self-signed certificate. The self-signed certificate issuing process is simple. A device does not support lifecycle management (such as certificate update and revocation) over its self-signed certificate. To ensure security of the device and certificate, you are advised to replace the self-signed certificate with the local certificate. |
CA certificate | CA's own certificate. If a PKI system does not have a hierarchical CA structure, the CA certificate is the self-signed certificate. If a PKI system has a hierarchical CA structure, the top CA is the root CA, which owns a self-signed certificate. | An applicant trusts a CA by verifying its digital signature. Any applicant can obtain the CA's certificate (including the public key) to verify the local certificate issued by the CA. |
Local certificate | A certificate issued by a CA to the applicant. | - |
Local device certificate | A certificate issued by a device to itself according to the certificate issued by the CA. The issuer name in the certificate is the CA server's name. | If an applicant fails to apply for a local certificate from the CA, it can generate a local device certificate. The local device certificate issuing process is simple. |
For details, see the USG6000E Firewall Product Documentation.
