Home

crosscertification

Cross-certification is a mechanism in public key infrastructure (PKI) and digital certificate ecosystems whereby two or more certification authorities (CAs) or PKI domains establish mutual trust by issuing cross-certificates. Through cross-signing, a CA in one domain signs a certificate for a CA in another domain, creating a trust path that allows certificates issued by either domain to be validated within the other without requiring every end-entity to be enrolled in a single central PKI.

Implementation typically requires each participant to publish its certificate policies and practice statements, and to generate

Common use cases include government interoperability across agencies, multinational enterprises with separate PKIs, and cloud or

Alternatives and related concepts include PKI bridges, policy mapping between CAs, and federated identity systems, which

and
publish
cross-certificates
that
link
the
domain
CAs.
Relying
parties
validate
certificates
by
following
trust
chains
to
a
trusted
root
or
cross-signed
CA.
Ongoing
maintenance
covers
revocation,
certificate
renewal,
and
monitoring
for
policy
or
operational
changes
to
preserve
compatibility.
service-provider
ecosystems
that
span
multiple
tenants
or
jurisdictions.
Benefits
include
broader
interoperability
and
reduced
PKI
fragmentation;
drawbacks
include
policy
misalignment,
administrative
overhead,
revocation
propagation
delays,
and
risk
if
a
cross-signed
CA
is
compromised
or
misconfigured.
may
achieve
interoperability
without
full
cross-certification.
Cross-certification
is
a
core
technique
for
enabling
trust
across
independent
PKI
domains
in
complex,
multi-organizational
environments.