Overview#

In Cryptography, Certificate Authority (CA) is an entity that issues digital Certificates.

The digital Certificate certifies the ownership of a Public Key by the named Certificate Subject of the Certificate.

The Registration Authority which is often the same as the Certificate Authority performs this by Identity Proofing during the Certificate Request Process.

This Certificate Request Process is designed to allow the Relying Party to Trust upon Digital Signatures or assertions made by the Private Key that corresponds to the Public Key is Authentic.

Certificate Authoritys are characteristic of many Public Key Infrastructure (PKI) schemes.[1]

The user is responsible for going through the step of Certificate Validation for a certificate with a Certificate Authority to figure out if the certificate presented is valid.

Each Certificate Authority must have a CAPK and available to the user or device to perform the Certificate Validation of any Certificates.

Trust Anchor and Certificate Authority#

Certificate Authority issue uses a Trust Anchor Certificate (or Root Certificate) to sign all Certificates that they issue.

Certificate Authority and Identity Proofing#

A certificate authority, is supposed to, provide outside validation (Identity Proofing) that the certificate, that is sent by a ServerCertificate was properly issued to someone who controls that server’s DNS Domain. The DNS Domain you use in a browser then must pass the Certificate Validation. The Identity Proofing process that domain owner went through to obtain it. The CAs are part of a Chain of trust that includes Development Teams of Operating Systems and browsers, and represent the weakest link.

The Threat of certificates were issued that could or did lead to weaknesses has happened multiple times in the last decade. Perhaps the most well-known of these is DigiNotar, a Dutch CA that was compromised in 2011. One of the certificates was allegedly used by the government of Iran to intercept sessions of its citizens. This is one of the Public Key Infrastructure Weaknesses.

More Information#

There might be more information for this subject on one of the following:

• Administrative Identity
• Authoritative Entity
• Automatic Certificate Management Environment
• Backing Up The Organizational CA
• Boulder
• CA
• CAPK
• Certificate
• Certificate Algorithm ID
• Certificate Authority
• Certificate Chain
• Certificate Extensions
• Certificate Formats
• Certificate Issuer
• Certificate Pinning
• Certificate Renewal
• Certificate Request Message Format
• Certificate Request Process
• Certificate Revocation
• Certificate Revocation List
• Certificate Serial Number
• Certificate Signing Request
• Certificate Transparency
• Certificate Validation
• Certificate-based Authentication
• CertificateRequest
• Certification Authority Browser Forum
• Compromised Certificate
• Creating KMO Signed By An External Certificate Authority
• DNS Certification Authority Authorization
• DNS-Based Authentication of Named Entities
• Digital certificate request
• Distinguished Names
• Dogtag
• Domain Authorization Document
• Domain Validated Certificate
• EMV Terms
• Exporting The Certificate Authority Certificate
• Extended Validation Certificate
• FreeIPA
• How SSL-TLS Works
• How To Recover The Certificate Authority
• How to get OpenSSL to recognise an Active Directory CA
• Identity Certificate
• Importing Certificates In Imanager
• Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
• Java KeyStore
• LDAPs and AD
• Lets encrypt
• MovingTheCertificateAuthority
• NICITreeKeyProvider
• OCSP Stapling
• Online Certificate Status Protocol
• Opportunistic encryption
• Organization Validated Certificate
• PKCS10
• Perspectives Project
• PolicyConstraints
• Privacy-Enhanced Mail
• Public Key Infrastructure
• Public Key Infrastructure Weaknesses
• Public Key Pinning Extension for HTTP
• Registration
• Registration Authority
• Relying Party
• Root Certificate
• Roots of Trust
• SHA-1
• SHA-1 Deprecation
• SSL-TLS Interception
• Self-signed Certificate
• Subject Alternative Name
• SubjectKeyIdentifier
• TLS Maturity Model
• Trust Anchor
• Trust No One
• Truststore
• U-Prove
• Verifying Certificate Signatures
• W3C Decentralized Identifiers
• Web of Trust

---

[#1] - http://en.wikipedia.org/wiki/Certificate_authority