All About Certificate Authorities

What is a certificate authority?

A "Certificate Authority" (CA), is a idea of "Public Key Infrastructure" (PKI), in which a special type of certificate is able to essentially co-sign other certificates to verify them as valid and trustworthy to certain levels.

Although CAs are generally trusted, there are non-trusted CAs. These CAs typically exist in corporate networks, in which their computers trust the CA, but others don't. For example, a large company will have internal servers that need to be secured using SSL/TLS, but since nobody outside of the company ever accesses these systems, no computers outside of the company trusts this CA.

What Types of CAs are there?

Root CA

Root CAs are extremely important, as they are specifically trusted, and completely independent from any other certificate. This type of certificate authority is usually very well vetted, and heavily monitored for any type of abuse of trust.

Root CAs are typically not used to sign end user certificates. They usually are used to sign "intermediate CAs". As these certification authorities need to remain secure at all costs, most vendors that add root CAs to their products require regular audits, and complete verification of all details of the proposed root CA.

Intermediate CA

Intermediate CAs are special, in that they are never specifically trusted by vendors. These certificate authorities are only trusted because root CAs co-sign them as trustworthy.

Because these certification authorities are normally used to generate end user certificates, they require some sort of verification of the validity of any certificate's information.

For example, document signing certificates typically require verifying the identity of the certificate holder upon request. This website's certificate required "domain validation", which means that I had to verify ownership of the domain this site is using.

TLS/SSL Certificates

TLS/SSL certificates are one of the most common certificates seen today. These certificates are used to secure website communications primarily, and result in the lock icon being at the top of the page.

Domain validation versus extended validation
Domain validation versus extended validation

Note in the image above, this website has a lock icon, and DigiCert has a lock along with their company name. This shows the difference between "domain validation" (DV), where only the domain is validated, and "extended validation" (EV), where their company is also validated. If you've ever seen the background of the URL you're on at the top of your browser turn green, then you were seeing that the site had an EV certificate.

There are also "wildcard certificates", which allow more than one specific domain and subdomain to be valid for a certificate. The certificate for this site is a "wildcard certificate" in that "*.randomcpu.com" is allowed to use this certificate. This is useful to me, as if I want an email service on this domain, I would likely put it on "mail.randomcpu.com", and this certificate would match that URL too.

Other Types of Certificates

Although TLS/SSL certificates are the most common used today, they are by no means the only certificate type used. I'll list a few different types below, and explain where they're commonly used.

    • Code Signing certificates are used regularly in the software industry. If you've ever installed a computer application and noticed a note that the program is from a certain developer or company when granting it administrator permissions, you've seen the result of these.
    • Client (S/MIME) certificates are typically used to sign documents. These certificates require verification of your identity to get, as they can commonly be used to legally sign documents.
    • Federal Bridge Certification Authority (FBCA) certificates are used by the healthcare industry when exchanging information with federal agencies.
    • WiFi certificates (WPA2 Enterprise Certificates) are used to only allow authorized users access to a WiFi network. In these cases a server that stores a list of authorized users has a certificate, and everyone that connects to the WiFi typically also needs a certificate.

A Notable Mention

Before closing this post, I'd like to mention both CAcert, and Let's Encrypt. I want to mention these two players in the CA industry simply because they both offer free certificates to end users. This is interesting because almost all of their competitors charge money for certificates. Although they only do "domain validation" for certificates, I can highly recommend these two sources for certificates.

Leave a Reply