Certificate Authority Definition

KZero Staff
Jul 27, 2023

What is a Certificate Authority?

A certificate authority (CA) is a trusted organization that verifies the identity of individuals, organizations, or devices and issues digital certificates – or CA certs – to validate their authenticity. CAs play a crucial role in enabling secure online communications. When a website or application presents a digital certificate signed by a trusted CA, it provides assurance to users that the entity they are interacting with can be trusted.

How Does a CA Issue a Digital Certificate?

A digital certificate is intended to verify the authenticity of a public key owned by a user or website. The first step in the certificate process is verification of the identity of a user’s identity or that they own a particular website. Often, CA’s accomplish this by having the user include a certain file on the site. If the CA finds this file, then the user is likely the owner of the site.

Once identity verification is complete, the CA creates a digital certificate, which includes information about the user’s identity and their public key. This digital certificate is then digitally signed by the CA, which verifies its authenticity.

How Digital Certificates are Verified

Every digital certificate contains a chain of trust pointing back to a trusted root CA. A digital certificate is valid if it has a valid chain of trust and trusted root CA and hasn’t expired or been revoked.

The chain of trust in a digital certificate consists of one or more CAs digitally signing other certificates. For example, a root CA may digitally sign the digital certificate of an intermediate CA, verifying their public key. That intermediate CA might generate a digital certificate for another intermediate CA or for an end user.

In the end, an end user’s certificate will include a chain of certificates where the public key used to verify the signature in one certificate is verified by the next digital certificate up the chain. Verifying this chain of trust requires checking that each signature in the chain is valid.

At the end of the chain is a root CA whose digital certificate is signed by its own key. Every computer includes a list of trusted root CAs. If the root CA is in this list, then it is trusted and the chain of trust is validated.

At this point, all that’s left is to see if the digital certificate is still valid. If the expiration date is in the future and the digital certificate isn’t included in a certificate revocation list (CRL), then it’s good to go.

Public vs. Private CAs

CAs play a crucial role in public key infrastructure (PKI), which is used to verify that a public key is valid. While the public Internet has PKI, companies can also implement it within their organizations.

By default, the list of root CAs built into a computer is for public root CAs. These CAs have the ability to issue digital certificates for public websites that anyone will trust. If you’re using HTTPS to browse the Internet, you’re trusting certificates from these public root CAs.

A company can create an internal root CA by adding it to the list of trusted root CAs on its computers. The digital certificates generated by these CAs are used for encrypted emails and other purposes inside the organization. However, computers without the company’s root CA in its list of trusted CAs won’t trust these digital certificates.


CAs are a vital part of PKI, which verifies the authenticity of public keys on the Internet or within an organization. These public keys can be used for various purposes, including encrypting data and generating digital signatures to ensure data integrity and authenticity.

KZero Staff

Explore more insightful content from the knowledgeable KZero staff on our blog and guides section.

Glossary Terms

Stay up to date with the most recent #infosec topics

Trending Topics

Interested In
Next-Gen MFA?

Discover Multi-Pass enterprise passwordless authentication

Share the page: