Certificate Authority (CA)
A certificate authority (CA) is a server (trusted entity) that guarantees subject identities by issuing signed digital certificate wrappers for their public keys.
- issues, renews, revokes, and distributes digital certificates
- acts as a trusted third party to both the certificate owner (subject) and certificate user (relying party)
- relying party relies on the accuracy of the binding between the certificate’s public key and the certificate owner’s identity
- main role:
- signs the certificate to begin with
- later verifies that it is still valid
- E.g., VeriSign, Department of Defense
- small part of infrastructure that handles certificates
- can use private or third-party (public) CAs
Private and Public CAs
- private CA can be set up within an organization for internal communications
- certificates it issues will only be trusted within the organization
A third-party CA is a public CA that issues certificates for multiple domains and is widely trusted as a root trust by operating systems and browsers.
- For public or business-to-business communications
- used to establish a trust relationship between servers and clients
- e.g., Comodo, DigiCert, GeoTrust, IdenTrust, and Let’s Encrypt
- functions:
- Provide a range of certificate services useful to the community of users serviced by the CA
- Ensure the validity of certificates and the identity of those applying for them (registration)
- establish trust in the CA with users, governments, regulatory authorities, and enterprises
- Manage the servers (repositories) that store and administer the certificates
- Perform key and certificate lifecycle management
- revoking invalid certificates
