What is a Certificate Authority (CA)?

Certificate authorities (CAs) are critical in securing online communications and identities.  But what exactly does a CA do? And how do they establish trust online? This guide will help answer these questions.

What is the Role of a Certificate Authority?

A certificate authority is a company or organization that acts to validate the identities of entities (such as websites, email addresses, companies, or individual persons) and bind them to cryptographic keys through the issuance of electronic documents known as digital certificates.

A digital certificate provides:

  • Authentication, by serving as a credential to validate the identity of the entity that it is issued to.

  • Encryption, for secure communication over insecure networks such as the internet.

  • Integrity of documents signed with the certificate so that they cannot be altered by a third party in transit.

These certificates allow secure, encrypted communication between two parties through public key cryptography. The CA verifies the certificate applicant’s identity and issues a certificate containing their public key. The CA will then digitally sign the issued certificate with their own private key which establishes trust in the certificate’s validity.

CAs like SSL.com embed their root certificates into operating systems, browsers, and other applications like Adobe products in the case of document signing certificates. This allows them to issue SSL/TLS certificates for websites, email certificates, code signing certificates, and more. Relying parties can then trust certificates chained to these root CAs.

 

Secure your website with SSL.com’s highly trusted SSL/TLS certificates. Get a free quote on domain validated, organization validated, or extended validation certificates. 

 

How Does a CA Validate and Issue Certificates?

When requesting a certificate from a CA, the applicant first generates a public and private key pair. The private key should remain under the applicant’s sole control and ownership. However, in some cases the private key may be generated and stored securely in a hardware security module (HSM) controlled by the issuing CA. 

The applicant then sends a certificate signing request (CSR) containing their public key and other identifying details to the CA through an online form.

Next, the CA will take steps to validate the applicant’s identity and the right to claim credentials such as domain names for server certificates or email addresses for email certificates in the CSR. This process varies by certificate type and validation level. For example, to issue an OV or EV SSL certificate, the CA will require business documents and authentication of the applicant’s identity and ownership of domain names.

If validation is successful, the CA issues the certificate containing the details and public key from the CSR. The CA digitally signs the issued certificate with their own private key to confirm they verified the identity.

What Are the Certificates CA’s Issue Used For?

Certificates are used in different ways depending on the certificate type:

  • For TLS/SSL certificates, the applicant installs the certificate on their web server to enable HTTPS and encrypt communication. The private key remains securely stored on the server.

  • For code signing certificates, the private key is used to digitally sign software, executables, scripts, etc.

  • S/MIME certificates for email security are installed in email clients and used to encrypt, sign or authenticate emails.

  • Client authentication certificates are installed on devices or users’ systems to authenticate their identity to servers or applications.

  • Document signing certificates are installed in document signing applications and used to apply certified digital signatures to electronic documents.

The proper use of the private key is essential for each certificate type and purpose.

What Does a Digital Certificate Contain?

A digital certificate is an electronic document that binds an identity to a cryptographic key pair through the CA’s signature.

Certificates may contain information such as:

  • Domain names

  • Email addresses

  • Business or individual identity

  • The public key used to enable encryption

  • Issuing CA details

  • Validity period

  • Certificate serial number

  • Signature to prevent tampering

By issuing a certificate, the CA states that the public key contained within belongs to the listed identity.

The corresponding private key is kept secret by the applicant. The public and private key pair allows secure encrypted communication through SSL/TLS and other protocols.

How Do CAs Help Establish Trust?

For an issued certificate to be trusted, the issuing CA must be trusted. CAs establish trust through certificate chains.

A certificate chain links your end-entity certificate back to a trusted root CA certificate through intermediate issuing CAs:

  • Trusted root CA certificate (trust anchor)

  • Intermediate CA certificates issued by root

  • End-entity certificate issued to the applicant

Browsers, devices, operating systems, and applications come with pre-installed root CA certificates from trusted authorities like SSL.com. By extending trust along the chain, SSL.com can issue trusted certificates.

Certificate chains allow trust to be extended in a scalable, secure way. Each link in the chain traces back to a trusted anchor. If any link in the chain is missing or untrusted, clients will see errors when accessing a site with that certificate installed. A proper chain is essential.

Does SSL.com Provide Trusted Certificates?

SSL.com is a certificate authority that issues different types of trusted digital certificates, including:

  • SSL/TLS certificates that secure websites with HTTPS

  • S/MIME certificates for securing email

  • Code signing certificates for verifying software

  • Client certificates for authenticating devices/users

  • Document signing certificates for proving e-document integrity

The root and intermediate certificates issued by SSL.com are embedded in all major web browsers and operating systems by default. This gives SSL.com the ability to sell trusted certificates to websites and organizations.

SSL.com also offers services like its hosted PKI platform, which allows companies to build their own private internal CA integrated with SSL.com’s public trust.

Final Thoughts

In summary, CAs form the backbone of trust online by issuing, validating, and managing digital certificates. While complex under the hood, they enable secure encrypted connections through public key infrastructure (PKI).

Now you understand the crucial role CAs play in confirming identities and establishing trusted communication between parties.

 

Contact our sales team for volume discounts and custom solutions tailored to your business’s certificate needs.

   

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.