A certificate authority (CA) issues and manages digital certificates used in public key infrastructures (PKI). CAs verify the authenticity of entities or identities requesting certificates. CA ensures data encryption, secure online transactions across networks, and protects users’ privacy and security.
CAs operates within a hierarchy trust model. At the top are self-signed certificates that are inherently trusted by clients called root CAs. Root CAs are the client’s web browser or operating system (OS). Below root CAs are intermediate CAs that root CAs issue. Intermediate CAs can issue certificates to end entities such as websites or users. The hierarchy trust model ensures a chain of trust where each certificate validates the one above it.
When verifying the entity or identity requesting a certificate, CA verifies ownership or control over the domain or resource where the certificate is requested. CA uses different methods for verification, such as domain, organization, or extended validation. However, extended validation depends on the certificate type.
CAs can revoke a certificate if it is compromised, expired, or invalidated. The ability to revoke a certificate ensures relying parties such as organizations, groups, or other individuals using the system are alerted about distrust of a certificate. CA stores distrusted certificates in a certificate revocation list (CRL) and follows an online certificate status protocol (OCSP) service. Web browsers and operating systems (OSs) come preconfigured with a list of trusted root CAs. This list is regularly updated to include newly trusted CAs and removes old CAs that are no longer trustworthy. The trusted CA list then verifies a certificate’s authenticity when a user visits a website secured with an SSL/TLS certificate issued by a recognized CA.
You can learn more about managing certificates by exploring DigitalOcean’s guide on handling Let’s Encrypt certificates.