Certification Authority, CA is an independent and trusted organization that verifies, publishes and validates the digital identity of persons, a document that confirms in the world of the Internet, that the person is really the one he (she/it) says he is. A person can be an individual, an organization or a business.
Thus, in terms of identity verification, the certification authority has essentially the same function as a notary. While the notary verifies each and every signature, the certification authority verifies the identity (based on certain materials) to create a digital signature. The veracity of the person’s identity will be confirmed by a document called digital certificate. Digital certificates are essential for secure communication on the Internet. The certification authority must therefore be trustworthy for both communicating parties - the person to whom the digital certificate is issued, and the person to whom the certificate should guarantee the authenticity of the certified person’s identity.
How can we get a digital certificate?
The certification authority (CA) will, based on your request, issue a digital certificate signed by your private key and it will also issue a corresponding public key. To do so, the CA must verify your identity. If the applicant is a person - individual, then he or she has to provide his or her identity card. An applicant - company must provide certain documentation (such as Certificate of Incorporation). The Certification Authority is part of the Public Key Infrastructure (PKI). It is a trustworthy entity for all parties. In principle, CA has two functions:
- Verifies person’s identity
- Generates a digital certificate and a corresponding public key
How do we verify the certification authority’s signature?
In order to verify the CA’s signature, your computer has to have its certificate at its disposal. There are two ways the CA’s certificates can get into your computer:
- the certificate is part of standard installation of a web browser or email software that contains a list of certificates from the most common certification authorities
- the users themselves install the certificate on their computer; then the certificate needs to be defined as trustworthy
Who can be a certification authority?
In general, virtually any company (or other person) can become a certification authority (so-called commercial certification authority). However, the certificate has to meet all the requisites, which requires some software equipment. A new CA may issue, renew, or revoke certificates. However, it will only be used by users who trust the issuing CA, i.e. it will only be used in a closed community such as a company where the certificate can be used to encrypt internal communications and thus reduce costs.
However, if we need a certificate for public communications (e.g. a secure website), a certificate issued by an unknown CA will not be trusted by other companies or other communications participants. There is only a couple of dozens of certification authorities that are globally recognized, the largest being Comodo, IdenTrust, Symantec, GoDaddy, GlobalSign and others. These CAs take care of the global distribution of the root of certificates to repositories, such as web browsers. The certificates included in these repositories are considered to be authenticated. All this is happening in the background so as users, we do not have to worry about downloading certificates.
Therefore, it is highly recommended to use certificates from trusted CAs so the counterparty (e.g. visitors to websites, web applications, recipients of emails, etc.) could easily verify the authenticity of the certificate without having to install a root certificate from an unknown CA.