Certificate Authority (CA)
A Certificate Authority (CA) is a trusted entity that issues, manages, and revokes digital certificates, serving as the trust anchor that validates the identity of websites, organizations, and individuals in public key infrastructure.
Certificate Authorities are the backbone of trust on the internet. When a web server presents a TLS certificate, your browser verifies that the certificate was issued by a CA that it trusts. This chain of trust is what allows you to confidently communicate with websites knowing that you are connected to the legitimate server and not an impostor.
CAs operate in a hierarchical structure. Root CAs sit at the top and their certificates are pre-installed in operating systems and browsers as trust anchors. Root CAs typically delegate certificate issuance to intermediate CAs, keeping their root private keys in highly secured offline hardware security modules. When a root CA is compromised, the consequences are catastrophic, as all certificates in its chain become untrustworthy.
The certificate issuance process involves domain validation (DV), organization validation (OV), or extended validation (EV), with increasing levels of identity verification. Services like Let's Encrypt have made DV certificates freely available, dramatically increasing HTTPS adoption. CAs must also provide mechanisms for certificate revocation when certificates are compromised, typically through CRLs or OCSP. Certificate Transparency (CT) logs provide public auditability, helping detect rogue or misissued certificates. Organizations should monitor CT logs for unauthorized certificates issued for their domains and implement CAA DNS records to restrict which CAs can issue certificates for their domains.