Read time: 15 mins
Security and safety on the internet are essential, and individuals and organizations often have a legitimate need to encrypt and verify the identity of the individuals they are communicating with.
- Issues certificates
- Certifies the identity of the certificate owner
- Proves the validity of the certificate
A certificate, or a digital certificate, is a set of data to verify an entity’s identity. Certificates are issued by CAs and follow a specific format (X.509 certificate standard).
The information contained in a certificate is:
How Does a Certificate Authority Work?
The process for getting a certificate authority to issue a signed certificate is explained below:
- The requestor or client creates a key pair (public and private key) and submits a request known as a certificate signing request (CSR) to a trusted certificate authority. The CSR contains the public key of the client and all the information about the requestor.
- The CA validates whether the information on the CSR is true. If so, it issues and signs a certificate using the CA’s private key and then gives it to the requestor to use.
- The requester can use the signed certificate for the appropriate security protocol:
Uses of a certificate authority
Certificate authorities issues various types of certificates, one of which is an SSL certificate. SSL certificates are used on servers and are the most common certificate that an everyday user would come in contact with. The three levels of an SSL certificate are
- Domain Validation (DV)
Domain Validation certificates are the easiest to get among all the other certificates, since no manual identity check takes place.
DV SSL Certificates require only that the applicant demonstrate ownership of the domain for which the certificate is being requested.
DV certificates can be acquired almost instantly and at low to no cost.
For example: ACM Cert Manager’s DNS or Email validation.
- Code Signing Certificates
Code signing certificates are used by software publishers and developers to sign their software distributions. End-users use these to authenticate and validate software downloads from the vendor or developer.
- Email certificates
Enable entities to sign, encrypt, and authenticate email using the S/MIME (Secure Multipurpose Internet Mail Extension) protocol for secure email attachments.
- Device certificates
Issued to internet of things (IOT) devices to enable secure administration and authentication of software or firmware updates.
- Object certificates
Used to sign and authenticate any type of software object.
- User or client certificates
Used by individuals for various authentication purposes.
The CA establish a digital certificate also known as an SSL/TLS certificate that binds a public key to some information related to the entity that owns that public key. This enables any system to verify the entity-key binding of any presented certificate.
CA Hierarchy options:
CAs are hierarchical in structure, and there are generally three types of hierarchies: one-tier, two-tier, and three-tier.
This single-tier hierarchy is not recommended for any production scenario because with this hierarchy, a compromise of this single CA equates to a compromise of the entire PKI.
A certificate authority plays the key role of facilitating secure communication and building trust between a user and a resource by verifying that the organization and client in question are authentic or valid.
For a complete list of the recommendations for planning a CA hierarchy, along with the level of business impact at which you should consider implementing them, refer to Securing PKI: Appendix F: List of Recommendations by Impact Level.