Certificate Authority (CA)

The certificate authority (CA) is the component within a public key infrastructure (PKI) solution that is tasked with creating digital certificates. A digital certificate cryptographically links a public key with the identity of its owner. Linking is done by digitally signing the owner’s public key together with his identity information and creating what is known as the certificate.

A CA need to be trusted by parties that rely on its certificates (relying parties) and its signing keys safeguarded to prevent an attacker from forging certificates of identity that can later be used to gain access to systems that trust the CA.

In order to check the authenticity of a certificate, the checker needs to use the CA’s certificate (the public key portion) to verify the signature on the evaluated certificate.

Frequently Asked Questions
In the certificate authority trust model known as a hierarchy where does trust start?

The CA trust models require each CA to sign certificates using signing keys that are themselves authenticated using certificates (their public key portion). The CA’s certificates are signed by another CA. Each CA is authenticated using its certificate and trust rolls up to a root CA that uses self-signed certificates and is, therefore, the root-of-trust.

What does a certificate authority do?

A CA issues digital certificates link a public key and the identity of its owner, and a digital signature that prevents anyone from changing the certificate. The matching private key is kept secret by the owner.

Can a certificate authority revoke a certificate?

Certificates are generally revoked by a certificate revocation list (CRL), which is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted. A CRL can be a part of the CA or managed as a separate entity.

What is a root certificate authority?

A root CA is a CA that issues the root certificates that are used to sign other CA certificates. Root certificates are self-signed certificates.

What is a server certificate?

A server certificate is a certificate that is presented by the server to a connecting client and used to attest to its identity. The certificate’s public key is also used to negotiate a session key to encrypt communications between the client and the server.

What are the different type of certificate authorities?

There are generally two types of CAs – a root CA and a subordinate CA. A root CA is tasked with creating the certificates that are used by other CAs. As such, it is the root-of-trust for the entire PKI and its security and integrity are therefore critically important. A subordinate CA is a CA that received its certificates from another CA and will typically be tasked with issuing certificates to users and resources.

What is a positive SSL?

Positive SSL certificates are server certificates issued by Comodo, a CA that issues certificates

What is a PKI certificate?

A digital certificate cryptographically links a public key with the identity of its owner. Linking is done by digitally signing the public key together with the identity information and creating what is known as the certificate.

What is a chain of trust?

The CA trust models requires each CA to sign certificates using signing keys that are themselves authenticated using certificates (their public key portion). The CA’s certificates are signed by another CA. Each CA is authenticated using its certificate and trust rolls up to a root CA that is uses self-signed certificates and is therefore the root-of-trust.
When a user presents a certificate, then the CA that created it (i.e. digitally signed it) is authenticated by evaluating its certificate, which in turn was signed by another CA. Each CA in the chain is authenticated up to the root CA, which is the root-of-trust.