Cross-certification is the establishment of trust between separate certificate authorities by having one certify the public key of another. It matters because organizations sometimes need trust to span PKI boundaries without collapsing everything into one root hierarchy.
What is Cross-Certification?
Cross-certification can enable interoperability between separate PKI domains, organizations, or trust programs. It can be useful, but it also increases complexity around path validation, policy interpretation, and trust-boundary management.
What Cross-Certification Commonly Supports
Common uses include federated trust, inter-organizational PKI integration, partner environments, and migration between trust hierarchies.
Cross-Certification vs. Single-Hierarchy PKI
Cross-certification connects separate trust hierarchies. A single-hierarchy PKI keeps trust inside one primary chain structure.
Frequently Asked Questions
Why is cross-certification complicated?
Because once multiple trust domains interact, policy and validation questions become harder to reason about safely.
Is it the same as importing a root into a trust store?
No. Cross-certification creates trust relationships through signed certificates, whereas importing a root is a direct trust-store decision.
