The differences between CA, local, and self-signed certificates are described in Table 1.
| Type | Definition | Description |
|---|---|---|
Self-signed certificate |
A self-signed certificate, which is also called root certificate, is issued by an entity to itself. In this certificate, the issuer name and subject name are the same. |
If an applicant fails to apply for a local certificate from the CA, it can generate a self-signed certificate. The self-signed certificate issuing process is simple. A device does not support lifecycle management (such as certificate update and revocation) over its self-signed certificate. To ensure security of the device and certificate, you are advised to replace the self-signed certificate with the local certificate. |
CA certificate |
CA's own certificate. If a PKI system does not have a hierarchical CA structure, the CA certificate is the self-signed certificate. If a PKI system has a hierarchical CA structure, the top CA is the root CA, which owns a self-signed certificate. |
An applicant trusts a CA by verifying its digital signature. Any applicant can obtain the CA's certificate (including the public key) to verify the local certificate issued by the CA. |
Local certificate |
A certificate issued by a CA to the applicant. |
- |
Local device certificate |
A certificate issued by a device to itself according to the certificate issued by the CA. The issuer name in the certificate is the CA server's name. |
If an applicant fails to apply for a local certificate from the CA, it can generate a local device certificate. The local device certificate issuing process is simple. |