But how did this hypothetical remote endpoint come to already possess the public key that was able to decrypt the digest? The public key must have been placed into the certificate repository of the remote endpoint. As a general rule, public keys are freely distributed. Some are so freely available as to be populated, by default, in certificate repositories from the application or operating system vendor. For example, Windows, Linux and RACF environments already contain certificates with public keys from external vendors such as VeriSign and thawte. Such vendors are referred to as well-known Certificate Authorities, or well-known CAs. We discuss CAs in more detail in 3.2, "Digital certificate types" on page 40. 3.2 Digital certificate types We describe the following digital certificate types in this section: Certificate authority certificates User (personal) certificates Site certificates We also discuss how to obtain a digital certificate. 3.2.1 Certificate authority certificates A (CA) certificate is one that signs or issues other certificates. There are two types of CA certificates: root CA A root CA is the first certificate created. It forms the top of any certificate chain. The root CA is used to sign other certificates that are lower down in the chain (hierarchy). A unique characteristic of a root