Wikipedia defines a Certificate authority as
a certificate authority or certification authority (CA) is an entity that issues digital certificates.
A CA acts as a trusted third party—trusted both by the subject (person/computer) of the certificate and by the party relying upon the certificate(the one you’re talking to). X.509 is the standard format of these certificates.
If you’ve read our other articles:”what is SSL?” and “x509, keys, and certs” you already know that digital certificates are often used to identify one person/computer in a two-way conversation and encrypt that conversation.
A “trusted third party” is person/company that is trusted by the two parties(people/machines) that are having the conversation. People often use drivers’ licenses as a parallel to digital certificates. In this example, a US driver’s license has your name, date of birth, and home address. This information is what’s considered the identity information. Your driver’s license number can be regarded as your public key. However, this analogy starts to break down when we look for the private key, which there isn’t one. Remember all public keys have a private key, but not all private keys have public keys. This missing key may make this an incomplete example for a certificate, however it makes for a relatively simple and straightforward example of a Certificate Authority. If the driver’s license is your certificate, the Certificate Authority would be the state that issued the license. Your driver’s license is effectively signed by the state when they put their official seal on the document.
If you look into an x509 digital certificate you see a field called “Issuing Authority” this is the Certificate Authority. I bet if I asked you who issued you your driver’s license, you would know immediately. As would any establishment that would require you to prove who you are, or some other identifying information about yourself, e.g., your age. This relationship of verified data and an official document, make the “State” a third party. One which is not only well known but is also trusted by a large number of people, making it easy to use everywhere you go.
A few important notes about Certificate Authorities.
Publicly known and trusted CAs are great for identifying and communicating with strangers, and that value is why they have a cost associated with them. However, there is value in creating an internal Certificate Authority for your organization. There is a significant cost reduction, as well as an opportunity to make the creation, application, and use of certificates to protect your digital data and other assets, smooth and seamless. You can accomplish this because the only people or machines that need to trust your Certificate Authority are under your control. If you were to create a certificate authority internally, you might consider using the Intermediate Certificate Authority, which allows you to logically separate network areas, groups, or teams. This relationship would look like a one to few grouping, and then all the certificates issued by the Intermediate Certificate Authority would have a one to many relationships. Building a system in this fashion is often called a Public Key Infrastructure. If you’d like to learn more about Public Key Infrastructure, click here for the article “A PKI?”.