Platform Deployment Guide › Advanced Encryption Mode › Advanced Encryption Certificates › Root and Enterprise Certificates

Root and Enterprise Certificates

CA Data Protection uses certificates with a two-level hierarchy:

• Root certificate: This serves as the trusted root certificate. It is used to sign the Enterprise certificate. The root certificate enables CA Data Protection machines to authenticate each other before transferring sensitive data. You must create a self-signed root certificate on a secure server.
• Enterprise certificate: This certificate is signed by the trusted root certificate. CA Data Protection machines use this certificate to encrypt data transfers between machines.

  When you update the enterprise certificate, its serial number is incremented by 1 and the previous serial number is added to the Revocation List (see below).

The root certificate, plus the enterprise certificate and the private key from its associated key pair, are then added to the Key Store and distributed to all CA Data Protection machines. This enables any machine in the CA Data Protection enterprise to use TLS to communicate with any other CA Data Protection machine.