What is a Certificate Authority (CA) in PKI?

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
components of public key infrastructure

What is a Certificate Authority (CA)?

A Certificate Authority (CA) is an organization that provides digital SSL/TLS Certificates to entities that deal with the collection and storage of user data. The verification of the information provided by the organization claiming to be who they are is done by these entities.

Introduced in 1995 by Netscape, SSL/TLS certificate is a technology that encrypts information transmitted between a user and server. In Layman’s terms, these certificates turn sensitive information into an undecipherable format so that a cyber-attacker cannot read or tamper with it. As you may concur, the digital certificates are provided by the certificate authorities. These are the organizations that are publicly trusted by web browsers and the CA/Browser Forum. In addition, CAs verify the identity of the websites’ owner to make sure they are who they claim to be.

What does a Certificate Authority Do?

There are two important activities that CA does:

  • Vetting (verifying) identity of the website owner or organization: When you request a certificate from CA, it verifies the information you provide. This information includes the organization’s name, domain name, address, email address and a public key.
  • Issuing the certificate: Once the information is validated, the CA issues the certificate in the name of the organization or domain.

How Does Certificate Authority Work?

Once the CA certificate is issued for the website, the users can trust the website with their data.

SSL Certificate Chain Of Trust

ssl chain of trust
  • The chain of trust is the hierarchical structure of digital certificates in which the originating entity is the root certificate (the certification authority itself)
  • Next up is an intermediate certificate that acts as an insulation between the CA certificate and the end-entity, i.e., the website.
  • Finally, the end-entity certificates are used to validate the website’s, owner’s, or the person’s identity.

What are the CA Certificates?

If you have a passport, you know how ready you need to be in order to prove who you are!

The questions that are asked to you about your birth and your residence. The proofs you have to give in order to prove you are telling the truth. The passport tells the entire world that you are who you claim to be.

Getting a digital certificate or, say, the CA certificate is a purely online process, and you need to provide the information that is asked to you about the company for which you are requesting the CA certificate. It is the web passport for your website. It contains the information and the encryption key that tells the users that they have made a secured connection with the website. It keeps the data safe from man-in-the-middle (MiTM) attacks.

The Importance of Certificate Authorities in PKI

Certificate Authority is the cornerstone of a larger system called Public Key Infrastructure (PKI). The below image shows the important parts of PKI.

Certificate Authority in Public Key Infrastructure

The important aspect of digital security is that the third person should not be able to access the information stored on the servers. The information has to be between the user and the website itself. It asks for the websites to up their security so they get the SSL/TSL certificates.

The certificate authorities are not only responsible for making sure the websites are secured but are also responsible for revoking the certificate if any malicious activity is detected. In simple words, the objective of these authorities is to make sure that the internet stays a safe place for both website owners and users.

SSL Certificate in Web Browser

In the above image, there’s a padlock visible on the left of the URL. This padlock is one of the initial cues that tell the user that the website is safe to use.

Steps to Check Certificate Authority in Chrome

When the user clicks on the padlock, they can see a tab pop up. The tab shows that the connection is secure. When the user clicks on “Connection is secure,” they land on the tab shown in the image on the right.

The image on the right shows the text “Your information (for example, passwords or credit card numbers) is private when it is sent to this site,” which proves that the website is secured by a CA-approved SSL certificate.

How to View SSL Certificate Information in Chrome

Upon clicking on “Certification is valid,” a new window appears that shows the certified information from the certification authority. It contains information such as the domain name to which the certificate is provided.

The certification authority that has provided the certificate. In this case, it is DigiCert Inc. This information also contains the date from and through which the certificate stays valid.

When does the CA Certificate Get Revoked?

  • In case the certification authority realizes that it has improperly issued a certificate, it revokes the certificate and issues a new one for the same entity.
  • If the CA discovers that the certificate used by an entity is a counterfeit, it revokes the certificate and adds it to the Certificate Revocation List (CRL).

Note: The certificate is not added to the CRL if it has EXPIRED.

Other reasons your certificate might get revoked for:

  • The CA that provided you with the certificate has been compromised.
  • The domain you get the certificate issued for is no longer under your ownership.
  • The operations of your entity are ceased entirely.
  • On the replacement of the old certificate by a new certificate.

Revocation of certificate isn’t uncommon and happens every now and then. In 2019 Google and Apple revoked not thousands but millions of certificates due to the mistaken issuance of non-compliant 63-bit serial numbers.

Public CA vs. Private CA Comparison

Public CA (Certificate AuthorityPrivate CA (Certificate Authority
Public CAs are the certification authorities trusted publicly by the users.Private CA’s function within an organization, and it is ‘trusted’ by the users inside the organization.
Issues the majority of Certificates on the internet.The major use of Private CA is done by large organizations for their internal purposes.
Favorable in scenarios where a limited number of certificates need to be issued.Organizations have multiple domains and departments. So, the Private CA is used in order to create a large number of certificates
For transparent communication over the internet.For the internal operations of an organization.
For providing services and showcasing products to mass audiences, one needs a Public CA.For intra-communication and maintenance of data within the company’s departments.

For Example
Entrust Datacard
Let’s Encrypt
For Example
Virtual Private Networks (VPNs)
Internet Sites
Private E-mail Signing Certificates
Closed User-Group Services
File Sharing Applications

Certification Authority List and Who Certifies the Certifiers?

From the table that we just saw, we understood that there are different certificate authorities that provide the certificates after validating the information received from the website owners.

Listed below are the most popular CAs from the handful that is available

  • Sectigo SSL
  • Comodo SSL
  • DigiCert
  • Symantec
  • RapidSSL
  • GeoTrust
  • Thawte
  • Network Solutions SSL
  • GoDaddy SSL
  • Entrust Datacard

This certificate authority List is approved by different larger entities.

This lands us on one question! Who decides which authorities are to be publicly trusted?

Well, it’s a very excellent point to cross your mind!

  • Microsoft decides the CAs to be trusted publicly by Windows Machines
  • Apple decides the CAs to be trusted publicly on their devices and the Safari Browser
  • Mozilla decides the CAs to be trusted publicly in Firefox and Linux Machines

How CAs Help Take Control Over Cyber Crime & Maintain Peace in the Virtual World

We access so many websites and so much data through the internet every single day. The internet happily serves everything to you on a platter with more than what you need.

The CAs are responsible for making the internet a safer place for users and organizations – validating the individuals and organizations – issuing the certificates for authentication, and facilitating encryption. As breaches continue to find a way to commit cybercrime, getting an SSL/TLS certificate isn’t optional now. We hope this article was helpful to you in understanding what certificate authority is.

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.