The Demo CA follows the best practices for modern CAs. That includes using two levels of CA certificates. There is a root certificate, which is self-signed. The root is used to sign an intermediate certificate, and then entity (client and server) certificates issued by the CA are signed by the intermediate.
Using this structure in Demo CA mimics public CAs and many internal organizational CAs, and lets Enterprise Server administrators see how certificate chains are configured. A certificate chain is the full collection of certificates from the entity to the root. When one participant (client or server) in a TLS conversation receives a certificate from the other side, part of the process it uses to verify the certificate involves reconstructing the full chain from the entity certificate to a trusted root. The sender might send just its entity certificate, but good practice is to include any intermediate certificates in the chain, and possibly even the root itself to assist in problem resolution. On the receiving side, including not just the root but the intermediate as well in the collection of trusted certificates (also called trust anchors) can improve interoperability.
Each certificate is associated with a private key, which can be in a separate file, or in the case of some file formats, such as PKCS#12 (.p12), included in the same file as the certificate. The private key is needed to use the certificate to sign a message or prove identity; it is not needed by the recipient to verify identity. So for example, when you configure an enterprise server listener to use a server certificate, you will need the private key for that certificate as well; but when configuring the Demo CA root and intermediate certificates as trusted, you do not need their keys.
Private keys are typically protected using passphrases. The Demo CA scripts will prompt you for passphrases as it creates and uses private keys. It is important to keep these passphrases secure if you use any Demo CA certificates for security, even to secure an enterprise server instance on development or test systems.
When the Demo CA scripts have been run, certificates and the private keys for entity certificates can be found in the entities directory tree. There you will find:
The other directories created by Demo CA hold the files needed by the CA. There is one for the root CA certificate, and one for the intermediate. You can examine these if you wish, but their contents are not needed when configuring Enterprise Server for TLS.
If you use Demo CA for any purpose other than short-term experimentation, Micro Focus recommends backing up its contents to avoid disruption.