What is a certificate authority?
Whether for public or private trust, certificate authorities are a critical piece of the broader cybersecurity ecosystem. Not familiar with what they are or how they work? No problem.
Here’s everything you need to know about certificate authorities, including how to choose the best one for your business needs.
What is a certificate authority?
A certificate authority (CA), sometimes called a certification authority, is an entity that validates the digital identity of websites, email addresses, companies, or individual persons. They do this using cryptographic assets called digital certificates, which provide a way to prove authenticity.
For example, web browsers work with CAs to authenticate websites, ensuring they’re not operated by hackers or bad actors. If certificate authorities didn’t exist, it would be unsafe to shop, bank, or transmit sensitive information over the internet. The “s” in the “https” prefix stands for secure, so you know the owner of the website has been verified by a trusted CA.
Public CA vs. private CA: What’s the difference?
Certificate authorities are either public or private. Although they perform similar functions, there are important differences between the two categories:
- Public CA: This group includes entities that provide services to the general public. Their certificates are accepted globally, making them suitable for securing websites, online transactions, and other digital use cases. There’s a finite number of public CAs available, but they have deep roots of trust with major web browser providers.
- Private CA: This category includes certificate authorities that are specific to an enterprise’s internal use. In other words, they exclusively issue certificates for internal purposes and use cases, such as private networks and VPNs, user authentication, and code signing. By extension, a private CA is only ‘trusted’ by users inside that organization and rarely issues certificates to external entities. For this reason, it’s also commonly referred to as a “local CA.”
Why are certificate authorities considered trustworthy?
A public CA is a rigorously vetted entity that must meet established baseline requirements put forth by the CA/Browser Forum. Certificate authorities and internet browsers work together to develop stricter and more uniform standards for the management and issuance of various digital certificates.
Because of these baseline requirements, public CAs are globally recognized and accepted for most applications. However, they can’t support internal use cases, which is where a private CA comes into play. Each private CA has a policy that dictates what it is for and the processes and controls it uses to issue certificates. In turn, they’re considered trusted and high assurance.
What is a digital certificate?
Simply put, digital certificates are a way to prove the authenticity of a device, web server, user, or entity. They serve a similar purpose to a driver’s license or passport, providing a form of identification and verifying certain allowances. However, rather than permission to drive or enter a country, digital certificates fulfill three primary functions:
- Authentication: Certificates act as a credential that validates the identity of any entity they’re issued to, such as a web domain or organization.
- Encryption: They secure communication over the internet by encrypting information submitted online, such as usernames and passwords or emails.
- Signing: Certificates ensure digitally signed documents aren’t altered by a third party, thereby upholding their integrity.
This is all made possible by public key infrastructure (PKI). In short, PKI encompasses all of the hardware, software, procedures, and policies required to generate and store cryptographic keys — the assets that make encryption, decryption, and verification possible.
How does public key infrastructure work?
Under PKI, all digital certificates are connected to a particular pair of keys: a public key and private key. Each of these cryptographic assets is a long string of bits used to encrypt and decrypt data. Every certificate is unique to a specific person or entity, acting much like a passport for identification.
The public key is freely available to anyone who requests it, allowing them to encrypt sensitive information before sending it to the associated entity. However, that message can only be decrypted with the private key, known only to the public key’s owner.
But how do you know a public key’s sender is who they claim to be? In short, that’s where certificates come into play. They not only contain the public key, but also information related to its owner, the issuing CA, the data on which it was created, and when it will expire. This helps verify the key does indeed belong to the claimed entity rather than a bad actor.
What is certificate management?
Certificate management is the process of managing digital certificates throughout their lifecycle — from provisioning to renewing to revoking. However, certificate management can be challenging for organizations that have a growing number of certificates.
With the usage of digital certificates on the rise, manual management processes (like spreadsheets) are not sustainable. Many enterprises are turning to lifecycle management tools that not only provide complete visibility into their cryptographic inventories and certificate estate but also provide a much-needed automation layer.
Types of digital certificates
Digital certificates, as the foundation for privacy and protection, are essential to safeguarding online interactions. Most certificate authorities offer a range of certificate types for various use cases, assurance levels, compliance requirements, and other applications. These include:
Document signing certificates
As the name implies, a document signing certificate is used to sign electronic records. More importantly, they ensure the integrity of the document, verifying the contents haven’t been tampered with, and verify the signer’s identity. They’re especially useful for legal contracts as they can help organizations support non-repudiation.
Code signing certificates
Similarly, a code signing certificate allows software developers to digitally sign applications and programs. This ensures end-users can verify the code they receive hasn’t been altered or manipulated — protecting both parties against fraud, malware, and theft.
TLS/SSL certificates
Perhaps the two most common types of digital certificates are TLS and SSL certificates. TLS stands for “Transport Layer Security,” whereas SSL stands for “Secure Sockets Layer.” Both are internet security protocols that authenticate identity and establish encrypted browser connections.
Technically, the SSL certificate is outdated, and TLS encryption has taken its place. However, the name “SSL” is still commonly used in reference to Transport Layer Security. That’s why, more often than not, you see a combination of the two acronyms: TLS/SSL.
This type of certificate is normally used for website, client, and server authentication. Beneath this broad category, there are several specific types of TLS/SSL certificates, including:
- Extended validation (EV) certificates: EV SSL certificates provide the highest assurance security, and the verification process is the most rigorous. When deployed on a website, a padlock icon, the organization’s name, and the “S” designation after HTTP becomes visible to visitors. This type of certificate is generally used for web applications that require identity assurance for collecting data, processing logins, or conducting online payments.
- Organization validation (OV) certificates: OV SSL certificates offer identity assurance and encryption and are best suited for encrypting user information during transactions. Most consumer-facing websites are legally required to deploy OV SSL certificates to ensure information communicated during a session remains confidential.
- Domain validation (DV) certificates: DV SSL certificates have fewer identity verification requirements than EV or OV certificates, only proving domain control. They’re often used for low-risk applications, such as blogs, user communities, or informational sites. This makes DV certificates less expensive and easier to obtain.
- Wildcard SSL certificates: A wildcard SSL certificate is verified to the organization validation level and is a cost-effective solution for securing a base domain and any number of affiliated subdomains. In addition to being less expensive than buying multiple individual certificates, they offer greater simplicity because users don’t have to submit more than one certificate signing request or manage the expiration dates for multiple TLS/SSL certificates across numerous URLs.
- Unified communications (UC) SSL certificates: These are verified either to the extended validation or organization validation levels. An efficient way to consolidate multiple certificates is by leveraging Subject Alternative Names (SANs) for cost savings. UC SSL certificates establish trusted identities and eliminate browser notifications that warn visitors against entering your site.
Why are TLS/SSL certificates important?
Having trusted TLS/SSL certificates from a reputable certification authority is extremely important for a variety of reasons:
- Increasing compliance requirements: The General Data Protection Regulation (GDPR) implemented in Europe is being adopted throughout the world. Organizations in violation of GDPR standards face hefty fines or revenue loss.
- Loss of search engine visibility: Search engines are cracking down on websites that pose security threats by implanting negative security indicators and removing sites from search engine results.
- Heightened data security: It’s critical to protect passwords, credit card numbers, financial transactions, and other high-value data.
- Emphasis on trusted identity: The certificate authority verifies the identity of organizations, confirms the company has control over its domains, and ensures the requester of the certificate is employed by the associated entity.
Want to learn more about TLS/SSL certificates? Check out our latest eBook.
How do Publicly Trusted CAs work?
The process begins when an applicant generates a pair of cryptographic assets — the public key and private key — alongside a certificate signing request (CSR). In short, a CSR is an encoded file that includes the public key and other pertinent information to be included in the certificate.
This may include the corresponding domain name, organization, and contact information, but ultimately will vary depending on the validation level and intended use case. The private key, however, is always kept secret and should never be shown to anyone, including the CA.
Next, the applicant sends the certificate signing request to the issuing CA. The issuing CA organization will then independently verify the information contained in the CSR is correct. If so, it’ll digitally sign the certificate with its own private key and send it back, adding a layer of trust in the process.
Finally, the digital certificate can be authenticated using the public key, such as when someone visits the applicant’s website through a web browser. Moreover, browsers confirm the contents of the certificate haven’t been altered or tampered with since it was signed by the issuing CA.
What is a chain of trust?
The chain of trust is a hierarchy that certificates use to verify the validity of the issuing CA. In this model, certificates are issued and signed by other certificates that exist higher up in the chain. This allows anyone who wants to verify the authenticity of a certificate can trace it back to the CA’s original, known as the “root certificate.”
Overall, this process is the sum of three parts:
- A trust anchor is the originating CA. Their root certificate is normally pre-downloaded in most browsers in a “trust store.”
- At least one intermediate certificate that branches off of root certificates like a tree. They provide a buffer between the trusted certificate authority and the end entity.
- The end entity certificate validates the identity of a website, business, or person. The chain of trust ensures that CAs adhere to compliance standards, especially those related to security, privacy, and scalability.
How do you choose a certificate authority?
Not all CAs are designed or capable of securing your organization’s specific use case. Some won’t work with your IT infrastructure, but others may not have the services you’re looking for. Here are some key considerations you should keep in mind when selecting a certificate authority:
- Does the CA adequately protect your brand?
- Does the CA follow Certificate Authority Browser Forum best practices?
- Does the CA offer flexible licensing and pricing policies?
- Can the CA grow alongside your organization to meet its current and future needs?
- Does the CA actively participate in the CA Security Council?
Entrust your digital certificates to us
There’s a reason why countless organizations turn to Entrust for their public and private certificate needs. As a globally recognized certificate authority, we have decades of experience in certificate issuance and management. Moreover, we offer a single pane of glass for you to manage public and private certificates — including those issued by other CAs.
And, as a founding member of the CA Security Council and CA/Browser Forum, we’re always at the forefront of industry standards. With a broad portfolio of digital certificates and solutions, you have access to a growing list of innovative products and services.
With Entrust’s award-winning certificates platform, you gain:
- Unparalleled support
- Universal browser compatibility
- Unlimited reissues
- Unlimited server licensing 128- to 256-bit encryption