A certificate authority (CA) is an entity that is trusted to sign, issue, distribute and revoke digital certificates.
The majority of digital certificates serve two main functions:
- 1. It verifies the identity of the applicant. With digital certificates, you can be ensured the entities (websites, companies, individuals, etc.) with whom you are interacting are really who they say they are. It binds a public key to an entity.
- 2. It encrypts the data transferred between two systems so data can only be interpreted by the intended receiver.
To better understand certificate authorities, let’s first get a basic understanding of digital certificates.
What is a digital certificate?
The internet was designed to facilitate quick and efficient open mass communication. Because initially, it was just a communication method, security was not considered an important issue. But the internet spread like wildfire, and people started using it for businesses and transferring sensitive data. People with malicious intentions found this open communication system easy to attack and commit fraud. Why would someone take the risk of dealing with armed security officers to loot a bank when this work is done just by writing some code while sitting on their comfy couch? And that’s how the need for online security arose and digital certificates came into the picture.
Digital certificates are small data files that identify the holder of the certificate. It is like your graduation certificate. You need to apply to the university, pass the academic barriers (tests), comply with the university rules – only then can you get the certificate. In the same way, when an entity applies for a digital certificate, the digital certificate authority (CA) follows a verification process before issuing the digital certificate to the applicant.
After issuance and installation of a digital certificate, it (in most cases) will also encrypt the data passed between two systems. Once data is encrypted by a digital certificate, only the intended recipient can decrypt it. No “man-in-the-middle” can intercept and read it.
How can I get a digital certificate from a Certificate Authority?
Once you apply for a digital certificate, the certificate authority will take the necessary steps to verify your identity. This verification process differs depending on the type of the certificate:
- For a simple Domain Validated certificate, the CA sends email to your registered business email id with a verification link, or uses HTTP/HTTPS File Verification or DNS verification method. The verification just confirms that you own the email address or website in question.
- For higher assurance digital certificates (such as Organization Validation or Extended Validation), the CA will verify details such as your business registration, physical address, the presence of your business on an approved online business directory website, phone number, and/or use other methods to verify the identity of the applicant. When the applicant passes the verification process, the CA issues a digital certificate for his/her website/software/email.
There are many types of digital certificates. One of the most popular among them is an SSL (Secure socket layer) certificate. An SSL certificate is a digital certificate that encrypts the data transferred between a website’s server and the client/website visitor’s browser.
Suppose you visit an eCommerce website using Chrome (or any browser). Now, your browser does not know the website owner. But it knows the CA that issued the SSL certificate to that website. If that website has installed an SSL certificate, your browser will verify the website’s certificate, then all data transferred between that website and your browser will be encrypted.
It’s a lot like going for a job interview and claiming that you’re a pro in Economics. The interviewer cannot verify entire syllabus that you studied for four years. The interviewer doesn’t know you or your talents, but s/he knows your university that issued you a graduation certificate and can see your A+ in economics. Hence, they can trust the authenticity of the claims you made.
How to check a website’s SSL certificate
To check the SSL certificate of a website, click on the padlock sign shown before the domain name on the address bar. Click on ‘Certificate.’ You can see the certificate authority’s name, applicant entity’s name, issuance date, expiration date, etc.
How does the user’s browser/operating system recognize the Certificate Authority?
Each CA owns a unique root certificate. This root certificate is shared with all the major browsers and operating systems. All browsers, operating systems, and devices come with these pre-installed Root Certificates in their root store.
Generally, certificate authorities do not issue the end user certificates (SSL certificates, Code signing certificates, etc.) from the primary root certificate. They usually create a number of Intermediate CA Root Certificates to issue end-entity certificates. This is called a trust hierarchy (secure certificate authority).
When a CA Certificate Authority approves any digital certificate, an SSL certificate, for example, it signs the certificate with an intermediate certificate, which is signed by the pre-installed trusted root certificate that’s in all browsers/operating systems.
If you want to get further in the details, here’s how it all works… When a user visits a website, their browser tries to verify the website’s SSL certificate via the intermediate root certificate, via the trusted root certificate which is preinstalled in the browser. If the “trust chain” validates, the browser creates, encrypts, and sends a session key to the website using the public key of its SSL certificate. This session key can only be decrypted by the private key of the server. If the server can decrypt the session key, it sends acknowledgment back to the browser. All the data sent and received between the browser and the server is now encrypted with the session key. This session key is temporary, a unique session key is generated for each session (or in some cases, even more frequently).
The browser will show padlock sign and https:// in the address bar, indicating that the website is secured by an SSL certificate.
List of HTTPS Certificate Authorities
There are only a handful of certificate authorities. Here are the most popular ones:
- What is CAA (Certificate Authority Authorization)? Should I Use It?
- RapidSSL Review – The Most Affordable Certificate Authority
- Thawte SSL Review – One of The Best Commercial Certificate Authorities
- Understanding the Role of Certificate Authorities in PKI
- Comodo SSL Review – Why It’s a Top-Notch Certificate Authority
- GeoTrust Review – One of The Affordable Certificate Authority