GlobalSign PKI Glossary

Let us help you make sense of the terms and acronyms surrounding PKI.

Adobe's Approved Trust List (AATL)

AATL is a a program that allows users worldwide to create trusted digital signatures whenever a signed document is opened in Adobe® Acrobat® or Reader® software. GlobalSign is a member of this list. AATL works off an “Approved Trust List” where AATL member CAs are carefully vetted by Adobe. They can also be used for signatures in other software such as Microsoft Office and Bluebeam Revu.

Application Program Interface (API)

An API for a website is code that allows two software programs to communicate with each another. The API spells out the proper way for a developer to write a program requesting services from an operating system or other application. GlobalSign has developed a number of APIs designed for Partners to automate the ordering and delivery of customer's SSL Certificates. Using an API will help create a robust and scalable SSL business as a GlobalSign partner. 

Auto Enrollment Gateway (AEG)

GlobalSign's AEG is a scalable managed PKI solution designed for enterprise environments utilizing a mix of platforms and devices. The newest iteration of this valuable tool acts as a direct gateway between Atlas, GlobalSign’s next-generation cloud Certificate Authority, and your Active Directory - effectively extending its reach to every endpoint on a network.

Automated Certificate Management Environment (ACME)

ACME protocol is a communications protocol for automating interactions between certificate authorities and their users' web servers, allowing the automated deployment of public key infrastructure at a very low cost.


Bootstrap, sometimes referred to as bootstrap loader, is a small piece of code or program that runs when a device is powered on. It initializes the operating system (OS), bringing the computer or device online. 


Bootstrapping is the process of building a system using the system itself or a precursor version of the system. Bootstrapping also refers to modular or auto-updatable software that allows a user to download a small ‘bootstrap’ executable that will then identify, download and update those parts of the application that the user needs. The bootstrap component can also look for and install updates when they are available.

Certificate Authority (CA)

A CA is a trusted organization that looks after the verification of such websites and other entities. It helps visitors know who they are communicating with online, making the internet more secure.

Certificate Based Authentication (CBA)

Certificate‐based network authentication is the use of a Digital Certificate (credential) to identify a user and often a device (or devices) employed by a known user on the network and is often deployed in coordination with traditional user authentication methods such as username and password.

Certificate Lifecycle Management (CLM)

Allows the management of digital certifictaes for each application. This could be hundreds or thousands needing issuance, renewal or revocation. The tool enables organizations to discover certificates across their IT infrastrcuture, automate certificate provisioning onto devices and to eradicate repetitive tasks.

Certificate Practice Statement (CPS)

CPS is a business process/policy that defines how certificates are issued and controlled.

Certificate Revocation List (CRL)

CRL provides the means to check the revocation status of a certificate installed on a website or used to digitally sign a document. CRLs are binary files that contain the serial numbers of revoked certificates and in some cases a revocation reason. Each time a revocation check is performed, the client applications need the CRL from the Issuing CA.

Certificate Signing Request (CSR)

CSR is a message sent to a certificate authority to request the signing of a public key and information. The contents of a CSR comprises a public key, organization, city, state, country, and e-mail. Not all fields are required depending on the assurance level of certificate. Together these make up the Certificate Signing Request (CSR). 

The CSR is signed by the applicant's private key; this proves to the CA that the applicant has control of the private key that corresponds to the public key included in the CSR. Once the requested information in a CSR passes a vetting process and domain control is established, the CA may sign the applicant's public key so that it can be publicly trusted. 

Constrained Device

Are small devices that have limited resources (power, memory, CPU). Often, they run on batteries. Constrained devices are typically things like sensors and/or actuators. When constrained devices are connected in a group, they become a network of “constrained nodes”. 

Cryptographic Key

A randomly generated string of binary digits (bits). Keys are used by cryptographic algorithms to transform plain text into cipher text or decipher encrypted code. Keys are symmetric or asymmetric. Symmetric key algorithms use the same key to encrypt and decrypt. Asymmetric key pairs (public key and private key) use a public key to encrypt plain text into cipher text and then use a private key to decrypt the cipher to plain text. Key(s) maintain data privacy and integrity. Key generation is done on Trusted Platform Modules (TPMs).

Digital Signing Service (DSS)

DSS allows organizations to easily deploy high-assurance digital signatures to sign critical paperwork, protect sensitive information, and keep business running securely - even when face to face interactions are not possible.

Domain Validated Certificates (DV SSL)

X.509 digital certificate in which the domain name of an applicant has been validated, usually checked against a domain registry.

Electronic Identification and Trust Services (eIDAS)

eIDAS provides consistency to regulations in the EU regarding electronic signatures. It uses a common foundation for secure electronic interaction between citizens and all other entities in order to increase the effectiveness and trust of online services. eIDAS covers authentication, signature seals, registered delivery services and time stamps.

Elliptic-Curve Cryptography (ECC)

An approach to public key cryptography based on elliptic curves over finite fields (such as is used in Digital Signature Algorithms [DSA]). It is often used for encryption and digital signatures. The key sizes tend to be smaller than those of RSA cryptography.

Enterprise PKI (ePKI)

ePKI allows organizations to manage the full lifecycle of Microsoft Window’s trusted Digital IDs and Adobe Certified Document Services including issuing, reissuing, renewing, and revoking. GlobalSign’s ePKI solution is managed through a SaaS service accessed through a web based portal. 

Extended Validation Certificates (EV SSL)

X.509 digital certificate used for websites and software that proves the legal entity controlling the website or software. GlobalSign (the CA) conducts a thorough vetting of the organization to verify:

  • The legal, physical and operational existence of the entity
  • That the identity of the entity matches official records
  • That the entity has exclusive right to use the domain specified in the EV certificate
  • That the entity has properly authorized the issuance of the EV certificate

Fully Qualified Domain Name (FQDN)

AKA absolute domain name, specifies the exact location of a computer or host on the internet within the domain name system (DNS). It identifies all domain levels (usually two parts) including the hostname and the domain name. - [host name].[domain].[tld]. 

GlobalSign Certificate Center (GCC)

GCC is a customer-facing SaaS platform, designed to order and manage GlobalSign certificates.

The Internet Engineering Task Force (IETF)

An Internet standards body, developing open standards through open processes. The IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet.

Managed PKI (MPKI)

MPKI is GlobalSign's Managed SSL and Enterprise PKI positioned as one platform to manage ALL certificates - a "one stop PKI shop".

Mobile Device Management (MDM)

Providers allowing for provisioning of certificates onto mobile devices. GlobalSign has integrations with MDM/ EMM providers allowing for provisioning of certs onto mobile devices

Online Certificate Status Protocol (OCSP)

It is an Internet protocol created by the Internet Engineering Task Force (IETF) for use with PKI infrastructure (RFC 6960). OCSP is used for obtaining the revocation status of an X.509 digital certificate. It is a more dynamic alternative to a CRL.

Organization Validated Certificates (OV SSL)

 X.509 digital certificate in which the applicant organization itself has been validated.  

Payment Card Industry Compliance (PCI)

PCI compliance applies to companies that accept credit card payments.

Public Key Cryptography Standards (PKCS)

These are a group of public-key cryptography standards devised and published by RSA Security LLC, starting in the early 1990s. The company published the standards to promote the use of the cryptography techniques to which they had patents, such as the RSA algorithm, the Schnorr signature algorithm and several others. Though not industry standards (because the company retained control over them), some of the standards in recent years have begun to move into the "standards-track" processes of relevant standards organizations such as the IETF and the PKIX working-group. ~ Wikipedia

Public Key Infrastructure (PKI)

PKI leverages digital keys and associated digital certificates to guarantee authenticity of people, organizations or machines. This allows businesses to secure websites, online communication and other business transactions via encryption and digital signatures. Our managed PKI offering allows management of all types of certificates from a centralized account.

Raspberry PI

The Raspberry Pi is a low cost, credit-card sized computer that plugs into a computer monitor or TV, and uses a standard keyboard and mouse. It is a capable little device that enables people of all ages to explore computing, and to learn how to program in languages like Scratch and Python. It’s capable of doing everything you’d expect a desktop computer to do, from browsing the internet and playing high-definition video, to making spreadsheets, word-processing, and playing games. (definition from their website).

Rivest–Shamir–Adleman (RSA)

 RSA is one of the first public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and it is different from the decryption key which is kept secret (private). ... Breaking RSA encryption is known as the RSA problem. ~wikipedia


Salt or or cryptographic salt is random data that is added as additional input to a one-way hash function in order to strengthen data, passwords or passphrases against attack. 

Secure Email (S/MIME)

S/MIME allows users to digitally sign and encrypt emails. Digitally signing emails protects the origin and authenticity of an email. It confirms the content of the message has not been altered. Encrypting email ensures message privacy. Only the intended recipient can unlock the message.

Secure Sockets Layer/Transport Layer Security (SSL/TLS)

Secure Sockets Layer was a cryptographic protocol to provide security over internet communications before it was succeeded by Transport Layer Security (often still referred to as SSL). It provides a secure channel between two machines or devices operating over the internet or an internal network.

Simple Certificate Enrollment Protocol (SCEP)

SCEP allows you to securely issue certificates to mobile and network devices using an automatic enrollment technique.


Timestamps are important for keeping records of when information is being exchanged or created or deleted online. In many cases, these records are simply useful for us to know about. But in some cases, a timestamp is more valuable.

Trusted Platform Module (TPM)

It provides hardware-based platform device authentication and ensures tamper-proof platform integrity. Is a hardware computer chip that is either built into a computer’s motherboard or added. It is a microcontroller - a secure crypto-processor that is designed to carry out cryptographic operations and security-related functions. It generates public/private encryption key pairs, securely stores the private key (half of the public/private key pair) and other artifacts such as passwords or certificates, and limits access to that information. 

Trusted Root

The root certificate, often called a trusted root, is at the center of the trust model that undergirds Public Key Infrastructure, and by extension SSL/TLS.

X.509 Digital Certificates

X.509 digital certificates (public-key certificates) consist of a set of base fields plus a set of extensions.