Overview

A Certificate Authority (CA), also known as certification authority or certificate issuer, is an establishment that validates the identities of certificate requesters and associates them to a cryptographic key through the issuance of electronic documents known as digital certificates.

The CA signs the certificates, and the signature is verified by a client before establishing a connection with the organization’s server. CAs are tasked with the domain control verification (DCV) process and for verifying the public key that the certificate is issued for belongs to the subject that requests it. The format of these certificates is specified by the x.509 or EMV standard.

There are two types of certificate authorities:

  • Public CA: A public CA is a third-party entity that issues certificates for a fee after doing the necessary checks on the organization requesting a certificate. The checks, by default, include domain validation. Third-party CAs have their own public-private key pairs with which they sign the certificates. Most of the well-known CAs are recognized by servers and clients; therefore, certificates signed by them are immediately validated by the entity initiating a secure connection. Publicly-signed certificates offer a higher level of assurance since they are issued by a recognized CA, and are generally used for securing websites and other endpoints involving direct user interaction.
  • Private CA: A private CA is when an organization creates its own CA hierarchy and issues certificates for its internal network where discretion is required. This may include VPNs, sensitive databases, secure mail servers among others.

How Certificate Authority Works

Certificate authorities are an integral part of public key infrastructure (PKI). The underlying purpose of any PKI setup is to manage the keys and the certificates associated with it, thereby creating a highly secure network environment for use by applications and hardware.

Depending on your organization’s needs, you can go to the website of your preferred CA and choose a certificate that best suits your needs from the options listed. The next step would be to generate a certificate signing request (CSR). Once that is submitted, the CA will contact the owners of the domains that the certificate has been requested for and take the necessary verification steps.