3.(Optional) CA verifies Alice’s ID through out-of-band
means.
4.CA creates a certificate containing the ID and public key,
and signs it with the CA’s own key
nCA has certified the binding
between key and ID
5.Alice verifies the key, ID & CA signature
6.Alice and/or the CA publish the certificate