This post will answer the question – what is a certificate authority? Read on.
Safety and Security are the two factors that are vital in the digital world. When any user surfs the internet, the two questions which arise in their mind are:
Is the site secured? Can they make online transactions safely on the site?
And to get answers to the above questions, they check the security of the site. Online users who browse the internet frequently, are aware that HTTPS and padlock are trust indicators, and proof that the site is secure.
These icons are visible on the screen, but:
- Are you aware of how these icons work behind the screen?
- How does a server communicate with the browser?
- How does the server state: “I am secured with an SSL certificate, so trust me?”
- How does the browser know which SSL certificate can be trusted?
- Who issues these SSL certificates?
Before knowing the backend process, let us see what makes trust indicators visible. SSL certificates when installed on the website show these visual trust icons. SSL (Secure Socket Layers) certificates are digital certificates that encrypt all browser-server communications, making them secure from intruders. These digital certificates are issued by Certificate Authorities (CA’s). Hence these Certificate Authorities are responsible for securing the internet to a large extent.
In this article, we will discuss What is a Certificate Authority? How does it Work? and What does it do to Secure the Internet?
What Is Certificate Authority?
Certificate Authority is a trusted entity that verifies websites and post- verification, issues digital certificates called SSL certificates. Their motto is to ensure the security of the digital world.
CA’s are trusted by third parties as well as certificate owners. They validate the domain or company which has applied for an SSL certificate and issues SSL certificates that are trusted by web browsers.
An example may clear your doubts.
Example: Let us say this is the website of SSL2BUY. Though the domain name is SSL2BUY, are you sure that it runs on the same company’s server? What if some hacker has mimicked the same server?
So, there is no way to cross-check if the website is legitimate or not? Here Certificate Authorities come into the picture.
When a CA issues an SSL certificate for a website, the CA details are visible in the SSL certificate. When you click on the padlock, the website shows that the connection is secured by CA (DigiCert Inc.); hence, customers are assured about the authenticity of the website.
How Do CA’s Work?
SSL certificates are based on Public Key Infrastructure (PKI) and hence you need to generate a key pair (private key&public key) and create CSR (Certificate Signing Request). A copy of the public key is handed with the CSR to the CA with all the information.
The CA will then sign the certificate and import the same to your server. This signed digital certificate has all the information regarding the site, the validity of the certificate, issuer name, the public key of your site, and signature on the certificate with CA’s private key.
What Does The Certificate Authority Do?
Certificate Authorities do verifications and authentications before issuing digital security certificates.
- CA verifies the identity of the user who has requested for SSL certificate for their website. The process includes vetting of domain names, organizations, or individuals by validating their identities with the official registrations and records.
- After the validation process is over, digital certificates are issued for building trust. These certificates authenticate servers, companies, and individuals thus displaying site security. They are also used for encryption and code signing etc.
- These CA also keeps track of CRL (Certificate Revocation Lists) which hints at invalid or expired certificates as well as revoked certificates (invalid before the expiry date).
Validations & Functions of CA
The CA does the validation depending on the SSL certificate requested by the user.
- Domain Validation (DV) SSL:
CA verifies the domain name and matches the same with the name registered in the WHOIS register. It also checks whether the applicant of the certificate is the actual owner of the domain name or not.
- Organisation Validation (OV) SSL:
One step further from DV, the CA verifies whether the organization is legitimate or not. It also confirms the presence of the organization by validating the location, domain name, and name of the organization registered.
- Extended Validation (EV) SSL:
The highest level of validation and preferred by large organizations and corporates are EV SSL. Thorough and extensive research about the company and legal verification makes this certificate highly popular. Conversion rates are bound to be high with EV SSL sites.
CA’s include multiple certificates for multiple securities.
- Single Domain SSL: Secures the main domain of the site
- Multi-Domain SSL: Secures multiple domains and multiple sub-domains of all levels
- Wildcard SSL: Secures the main domain and multiple sub-domains of the first level
Analyze your business requirement and buy an SSL certificate accordingly.
Role Of CA In Nurturing Trust
A hierarchical trust model, which all the CA’s use for the chain of trust comprises of:
- Root Certificates:
These certificates are shared by all popular browsers and operating systems and are owned by CA’s. The root store of browsers and OS comprises of these certificates. They are controlled by CA’s and belong to the issuing Certificate Authority. They are issued and signed by CA using their private key.
- Intermediate Certificates:
They are the man-in-middle between secured root certificates and website certificates issued to the users. These certificates are issued from root certificates.
- Server Certificates:
This is the main certificate that is issued by a CA for securing your domain. This certificate when installed on your webserver, secures your domains and sub-domains too (depending on the certificate type).
- Importance of CA:
Let us imagine:
- What will happen if there is no CA’s?
- Without any trusted entities and digital certificates, how will you survive cyber-attacks?
- Without CA’s, securing the web world, how will a user know whether they are connected to the legitimate site server or a malicious server?
All these questions are enough to cause goosebumps. CA’s duties are not only restricted to issuing certificates, but they are also the key authorities to sign public keys and authenticate and validate domains, individuals, and organizations.
CA’s issue SSL certificates after verifying the legitimacy of the site and hence these sites having SSL certificates are termed trustworthy. Even Google has appreciated sites having SSL certificates and ensures that popular browsers flash a warning message stating “Non-Secure” on sites not having this digital certificate.
SSL encryption security comes with robust 256-bit encryption which is a tough nut for hackers to crack. Without these security protocols, the chances of data tampering and malware attacks rise. Hence the existence of CA’s help in authenticity, confidentiality, and data integrity.
Types Of CA’s
CA’s are distributed by Region and Globe. There are many global CA’s, but only a few of them make it to the top of the game.
There are publicly trusted CA’s called Public CA’s and there are Private CA’s too. Let us have a brief about both.
- Public CA:
Public CA’s are also called Commercial CA’s. These third-party entities issue certificates to individuals and organizations who request the same. These CA’s are compliant with Baseline Requirements and hence their SSL certificates are approved by most of the browsers.
Comodo, DigiCert, GlobalSign, let’s Encrypt, etc. are a few big names.
- Private CA:
Private CA or Private PKI (Public Key Infrastructure) works for a single enterprise or company, but functions like a public CA. It is also termed as Internal CA. It issues the certificates only for the company it works for and hence has specific features.
- Since these CA’s are issued internally, they are trusted by internal clients, users, and IT staff.
- Access is restricted to a limited group of users.
- The set-up process and hosting of this CA is to be done by the company itself or by hired third-party personnel.
- They best serve internet networks and intranets.
Private CA’s are used for:
- Intranet Sites
- VPN (Virtual Private Network)
- Private Email Signing Certificates
- CUG’s (Closed User Groups)
The Internet is like 2 sides of a coin. One side indicates the vast global information which can be accessible within seconds, whereas the other side indicates the insecurities of accessing the same.
Data breaches, Cyber-attacks, Phishing attacks, Identity thefts, and many more dangers come along with internet benefits.
CA’s are those trusted entities that create a barrier between these dangers, thus creating a secure environment for its users. Hence, it is advisable for website owners to install SSL/TLS certificates from trusted CA’s and secure their digital data.