Learn/Cryptography/Glossary/

What is a Certificate Authority

A Certificate Authority (CA) is a trusted third party that issues digital certificates. A certificate binds a domain name (like example.com) to a public key and is digitally signed by the CA's private key. When your browser connects to a website over HTTPS, it checks the certificate's signature against a list of trusted CAs built into the operating system or browser. If the signature is valid, the browser trusts that the public key belongs to the claimed domain.

How it works

The certificate issuance process follows these steps:

  1. Key generation -- the server operator generates a public/private key pair.
  2. Certificate Signing Request (CSR) -- the operator creates a CSR containing the public key and the domain name, and sends it to the CA.
  3. Domain validation -- the CA verifies that the requester controls the domain. Let's Encrypt uses automated challenges: place a specific file at a known URL (HTTP-01), or create a DNS TXT record (DNS-01).
  4. Signing -- the CA signs the certificate with its private key and returns it.
  5. Deployment -- the operator installs the signed certificate on the server.

CAs are organized in a chain of trust. A root CA signs intermediate CA certificates, and intermediate CAs sign end-entity (server) certificates. Root CA private keys are kept offline in hardware security modules. Browsers and operating systems ship with a set of trusted root certificates (the "trust store"). A certificate is trusted if its chain leads back to a root in the trust store.

If a CA is compromised or issues certificates fraudulently, browsers can revoke trust in that CA, invalidating all certificates it issued. Certificate Transparency (CT) logs provide a public, append-only record of every issued certificate, allowing domain owners to detect unauthorized issuance.

Let's Encrypt, operated by the Internet Security Research Group, is the largest CA by volume, providing free, automated certificates via the ACME protocol. It has fundamentally changed the web by making HTTPS the default.

Why it matters

Certificate Authorities are the foundation of trust on the internet. Every HTTPS connection, every TLS handshake, every secure API call depends on a CA having vouched for the server's identity. Understanding the CA system -- and its weaknesses -- is essential for anyone building or operating secure systems.

See How Certificates Work and How Digital Signatures Work for the full walkthrough.

Related

This concept appears in