What is the concept of a certificate authority? So, before I answer that, let me take a step back and ask you a question. Will you send a stranger on the street your banking information, banking information, or social security number? Most likely not. People, on the other hand, do the digital version of this on a regular basis through their favourite websites. They give out personal information on ecommerce, banking, and credit bureau websites without knowing whether the sites are secure, safe, or accurate. Furthermore, they do so without fully comprehending what makes them stable, happy, or trustworthy.
However, how can you say if a website is any of these things? How do you know whether you’re shopping on a legitimate ecommerce platform or banking on a legitimate banking site, for example? And how do you know your data is being transmitted safely? This is where the role of a certificate authority plays a role.
To help you better understand certification authorities’ position in internet protection, we’ve compiled a list of the most frequently asked questions.
What Is a Certification Authority (Certificate Authority)?
A certificate authority is a reputable third-party organisation that establishes and issues digital certificates for web browsers and operating systems. CAs are essential to digital security (and internet security) as we know it because it is their duty to do so for organisations and websites that they vet.
The original term for what we now call a certificate authority or a CA was “certification authority.” As a consequence, you’ll sometimes hear them referred to by these various names.
What Does a Certificate Authority Do?
A public certificate authority (PCA) is a government-backed agency that issues digital certificates to individuals, corporations, and other organisations. These certificates are essentially small data files containing verified identifying details about the company. CAs are a way to establish credibility with people who don’t know you (or your company) personally by making a reliable third party vouch for you.
But, in terms of website protection, what does it all mean?
The certification authority examines the requesting entity before granting a certificate. To ensure that the business is legitimate, they review documentation and records collected from official sources. After that, the CA issues a digital certificate that the company may use to encrypt and digitally sign their websites, apps, and email correspondence.
So, if you’re looking for a certificate for your company, here’s what a certification authority can help you with:
- Demonstrate the company’s brand. You can shout “I’m me!” all you want, but this is a way for you to establish your identity in the eyes of the rest of the world.
- Verify that your company is legitimate (and that your website isn’t being hacked). Hackers are cunning individuals who are constantly on the lookout for new ways to dupe users into providing personal information or clicking on malicious links. What better way to do that than to build a fake website that looks similar to your real one and claim to be you?
CAs also help you create secure, encrypted connections between your web servers and your users’ browsers in a roundabout way. You can use a secure transport layer security (TLS) protocol to send and receive encrypted data by issuing an SSL/TLS certificate for your website, for example. As a site owner, this assists in the protection of data flowing to and from your servers. This safeguards against eavesdropping and man-in-the-middle (MitM) attacks, which can lead to data theft.
Certificate authorities are also in charge of keeping certificate revocation lists (CRLs), which inform the public when certificates are revoked before their expiration dates.
Public CAs Are the Identification Card Issuers of the Internet
To put it another way, certificate authorities act as the internet’s identity verification authorities. They’re close to the people who issue the state’s or country’s identification cards.
– state in the United States has its own Department of Motor Vehicles (DMV), which is in charge of issuing driver’s licences. These licences are government-issued identification cards that can be used to prove your identity while driving, purchasing alcohol, applying for jobs, and performing other activities.
In addition to taking a driver’s test, you must also have various forms of official documentation that prove your identity when applying for a driver’s licence. This covers everything from birth certificates and social security cards to green cards and other forms of proof of citizenship.
After you’ve verified your details with a third party (in this case, the DMV), a DMV employee will take your photo, which will be shown alongside your official signature on the passport. They then print holographic labels on the card to show that it is genuine and not a forgery (think of this like a digital signature). This documentation can then be used to prove your identity.
A Real-World Example of How a Public CA Works
Considering a real-world example of what a certification authority does in terms of website protection is, of course, the best way to grasp what a certification authority is.
Assume you’re someone who dabbles in investing and conducts your business through Vanguard.com. How do you know you’re on The Vanguard Group, Inc.’s official website? After all, the website appears to be real, with logos and branding that complement the company’s. It might, however, be a very well-designed phishing website… which is why knowing what to look for is crucial.
The padlock protection icon can be found in the web address area of the Google Chrome browser. This means that the browser is connected to the site’s server through a safe, encrypted link.
Do you see the padlock icon in the address bar? That means your browser is using a secure, encrypted link to connect to the site’s server. Okay, that’s fine. So you know your data is being transmitted over a protected, encrypted channel, but that doesn’t mean it’s healthy. This is due to the fact that even phishing websites can receive domain validated (DV) SSL/TLS certificates from less-than-scrupulous CAs. According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report for Q1 2020, approximately 75% of phishing websites used SSL/TLS certificates as of the end of Q1 2020!
This is why it’s important to know if you’re connecting to a legitimate web server or a hacker’s spoof. After all, a cybercriminal may obtain a free DV certificate and use it to display the safe padlock icon on their website. This is why it’s important to understand the difference between a stable and a safe website. Since you don’t know who you’re talking to on the other end of the encrypted link, a secure site — one that communicates using an encrypted communication channel — isn’t really protected.
This window appears when you click the padlock protection icon in the address bar, and it reveals that the website’s SSL/TLS certificate was given to the validated organisation The Vanguard Group, Inc. [US].
You can say if a website is real if it uses a website that at the very least validates organisational identity (more on that later).
Open the Details tab after clicking on the certificate information to see more details. You can read the organization’s checked information by selecting the Subject area.
Certificate Authority Validation Levels
Organizations and individuals should be checked by certificate authorities to ensure that they are authentic and not imposters. They use three different levels of validation:
This is the simplest form of validation. It only allows the CA to verify that the individual or entity seeking the certificate owns the domain or website in question. This can be accomplished by sending a validation connection to your registered email address, or by sending one or more files that you must upload to unique domain directories.
Since this procedure is so simple, it is usually completed automatically, resulting in the issuance of a certificate in a matter of minutes. As a minimum, if you want more in-depth verification, you can use the next form of validation.
This is the next step up from domain validation and is often referred to as a simple business validation certificate. The explanation for this is that it provides more thorough vetting of an entity than a DV certificate while being less comprehensive than the next form of certificate we’ll discuss.
This window appears when you click the padlock protection icon in the address bar, and it reveals that the website’s SSL/TLS certificate was provided by COMODO RSA Organization Validation Secure Server CA. However, unlike the EV certificate used on the Vanguard website, the organisational information is not shown right away.
This is why, for organisations that collect, process, or use confidential or personally identifiable information, organisation validation should be the bare minimum (PII). Extended validation should be used by organisations that collect and process this type of data. However, if they don’t, OV should be the bare minimum of validation.
Extended validation is the most comprehensive form of business validation available from certificate authorities. This type of certificate necessitates the most information about your company and can take up to five days to process.
An example of a site that uses an EV certificate is Vanguard.
Why Do We Need Certification Authorities?
What is the intention of getting a driver’s licence or a state ID card? Since it enables you to prove your identity to third parties who may otherwise be unaware. Since they’re trusted to issue legitimate, reliable certificates, a CA will help you create confidence with others — and trust is crucial in public key infrastructure (PKI). (We’ll come back to PKI later.)
In the eyes of others, confidence gives you credibility. Simply put, public certificate authorities vouch for you by certifying that you are who you say you are and that you are trustworthy to browsers, email clients, and operating systems. They do this by conducting background checks and issuing digital certificates. How does anybody know if you are trustworthy if you don’t have a reliable third party to stand in for you and vouch for you? It’s the equivalent of the DMV giving you an official ID card that confirms you’re who you say you are.
When you submit an SSL/TLS certificate for your company’s website, the same thing happens. When vetting the organization’s content, a public CA is responsible for adhering to strict standards and processes. They do so by following a collection of procedures and using official documentation and tools. This gives web browsers, email clients, and operating systems trust in them to check that you are who you say you are.
CAs Provide Verification (and Help You to Establish Trust with Others)
The public key encryption trust model that is at the heart of public key infrastructure relies on publicly trusted CAs and the digital certificates they grant (PKI). (We’ll go over PKI and digital certificates in more detail later.)
What Makes a Public CA Trustworthy?
For two primary factors, third-party certification authorities are generally trustworthy:
- Certificate requestors have no power over public CAs, which are autonomous. There is a significant distinction between public and private certificate authorities in that public CAs are distinct from the institutions that seek certificates.
- Public CAs (and the certificates they issue) must meet certain minimum requirements. The CA/Browser Forum (CA/B Forum), for example, has baseline specifications. The certificates are unforgeable because of the way they’re made, which means no one can change them without your knowledge.
It’s All About Belief…
It is vital for a certificate authority to have the confidence of third-party organisations in order for the authentication system it helps build to function. The X.509 specifications come into play here; they define the X.509 digital certificates that are at the heart of public key infrastructure (PKI). (We’ll go through these certificates in greater detail later.) X.509 (10/19) is the most recent edition of the standards, which was authorised in October 2019 but requires payment to use.
The X.509 (10/2016) standards document — the latest free version of the standards — refers to trust in a CA as the:
“Belief that the certification authority (CA) will act reliability and truthfully in the management of its public-key certificates and will comply with its published certification practise statement and relevant legislation.”
Yes, I know there’s a typo in there — it should say reliably instead of reliability, but what can you do? Typos happen. That aside, the main take away here is that the CA is expected to behave a certain way and serve as a reliable — trustworthy — certification entity.
The original X-509 (11/1988) standards document talks about the importance of trust:
“The key role of trust in the authentication framework is to describe the relationship between an authenticating entity and a certification authority; an authenticating entity must be certain that it can trust the certification authority to create only valid and reliable certificates.”
What Is an Example of a Certification Authority?
A publicly trusted certificate authority like Sectigo is an example. Sectigo is one of the largest commercial CAs in the world. While there are hundreds of CAs, the majority of organisations and individuals depend on just a dozen or so to issue their digital certificates.
So far, we’ve only talked about public CAs (and, to be honest, that’s all we’ll talk about in this article). But did you know that there are many different types of CA? Public and private certificate authorities are the two types of certificate authorities.
Private Certificate Authorities
A private CA (or private certification authority) is a certificate authority that is regulated by the entity for which it issues certificates. It’s basically the same as you proving your identity by signing your own driver’s licence. While using a self-signed document can work inside your business, it’s obvious that this method isn’t going to fly with third parties who don’t know you.
Public Certificate Authorities
Public certificate authorities, on the other hand, are autonomous bodies that are not under the jurisdiction of the organisations to which they grant certificates. As a result, when people talk about CAs, they almost always mean public CAs.
What Is the Role of a Certificate Authority in Public Key Infrastructure?
The X.509 standards describe public key infrastructure as “the infrastructure capable of supporting the management of public keys capable of supporting authentication, encryption, integrity, or non-repudiation services.” PKI is the structure — the policies, procedures, and technologies — that is used to build the foundation of website protection.
Without PKI, data will only be able to be transmitted over the internet in plaintext, with no encryption to secure it. And no one can know for sure if the entities on the other end of websites or emails are trustworthy.
One of the most critical aspects of the public main infrastructure is certification authorities. This infrastructure consists of:
- a wide range of companies (certificate authorities, web browsers, operating systems, etc.)
- The CA/B Forum has outlined regulatory guidelines, processes, and procedures.
- PKI digital certificates (which protect your distinguished organisational name and key to your identity), digital signatures (which sign the digital certificates), and public-private key pairs are all examples of PKI digital certificates.
If you want to learn more about PKI in particular, read our other blog, which explains what it is and how it functions. X.509 digital certificates or X.509 public key certificates are the common names for these PKI certificates.
What Is a Digital Certificate and What Does It Do?
Remember how we said earlier that a public CA is the internet’s DMV? A PKI digital certificate, like your government-issued ID card or passport, is a piece of paper that proves you are who you say you are to those who don’t know you. Instead of your picture and other licence details, it’s a digital file with the following vital information:
- Name and contact information for your company — The subject field verifies that your company is legitimate and owns the certificate.
- Your public key is the half of your public-private key pair that is visible to the general public.
The name of the certificate issuer — This is the name of the certificate authority that issued the certificate (such as Sectigo).
- The digital signature of the CA — This verifies that the certificate was issued by a reputable CA.
- A serial number — A serial number is a code that is unique to your SSL/TLS certificate.
- Dates of issuance and expiration of your certificate — These certificates are only valid for a limited period (up to 398 days beginning Sept. 1, 2020).
This data aids you in establishing your organization’s identity in the eyes of others. You can, for example, verify to website users’ browsers that your website/server is actually owned by your company.
The Different Types of X.509 Digital Certificates
Of course, CAs may issue certificates for purposes other than website protection (SSL/TLS certificates). They also publish:
- Code signing certificates
- Document signing certificates
- Email signing certificates (also known as S/MIME certificates)
How Certificate Authorities Issue Digital Certificates for Websites
It takes a long time for a third-party certification authority to grant SSL/TLS certificates. As a result, we’ve included the following graphic to help you understand the process:
It begins with you demanding an SSL/TLS certificate for your domain from a public CA, as seen in the diagram above. The certificate authority must first check your identity and that you own the domain in question before issuing the certificate. If they’ve done so, they’ll be able to issue your certificate, which will bear their digital signature as proof that it was issued by them.
You will then instal the certificate on your web server once you have it. This allows you to create secure, encrypted communication channels with site users’ browsers and verify your identity.
TLDR; A Quick Overview of Certification Authorities
Yes, there was a lot of data to sift through. So, for those of you who only want to skim or need a fast refresher, here are the main points to remember about public certificate authorities:
- Certificate authorities are similar to the Department of Motor Vehicles in that they issue identification cards.
- They allow you (your company) to authenticate yourself to third parties who are unfamiliar with you. They do this by releasing digital certificates that are digitally signed and serve as proof of your legitimacy.
- Public CAs play a crucial role in public key infrastructure and overall internet security. They’re the ones that make it possible to build confidence.
- Sectigo is an example of a publicly trusted certification authority.
- They can help you authenticate yourself or your organisation to others through websites, emails, software, and documents by issuing X.509 digital certificates.
- They will validate the details at three stages of validation: domain validation, organisational validation, and extended validation.