In X.509 the term "certification authority" is defined as "an authority trusted by one or more users to create and assign certificates". X.509 imposes few constraints on CAs, but practical implementation of a worldwide certification system requires establishment of technical and procedural conventions by which all CAs are expected to abide. Such conventions are established throughout this document. All CAs are required to maintain a database of the DNs which they have certified and to take measures to ensure that they do not certify duplicate DNs, either for users or for subordinate CAs.
It is critical that the private component of a CA be afforded a high level of security, otherwise the authenticity guarantee implied by certificates signed by the CA is voided. Some PCAs may impose stringent requirements on CAs within their purview to ensure that a high level of security is afforded the certificate signing process, but not all PCAs are expected to impose such constraints.