Certificate authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key.
One particularly common use for certificate authorities is to sign certificates used in HTTPS, the secure browsing protocol for the World Wide Web.
Web browsers know how to trust HTTPS websites based on certificate authorities that come pre-installed in their software, such as:
- Let’s Encrypt
- Network Solutions
Certificate authorities are in this way being trusted by web browser creators to provide valid certificates. Therefore, a user should trust an HTTPS connection to a website if and only if all of the following are true:
- The user trusts that the web browser software correctly implements HTTPS with correctly pre-installed certificate authorities.
- The user trusts the certificate authority to vouch only for legitimate websites.
- The website provides a valid certificate, which means it was signed by a trusted authority.
- The certificate correctly identifies the website (e.g., when the web browser visits https://webdiy.org – the received certificate is properly for WebDiY.org and not some other entity).
- The user trusts that the protocol’s encryption layer (SSL/TLS) is sufficiently secure against eavesdroppers.
A certificate authority acts as a trusted third party (TTP) — trusted both by the subject (owner) of the digital certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 standard.
Certificate authorities are also responsible for maintaining up-to-date revocation information about certificates they have issued, indicating whether certificates are still valid.