Certificate Authority (CA)

A Certificate Authority (CA) is a trusted organization responsible for issuing, validating, and revoking digital certificates within a Public Key Infrastructure (PKI). These certificates confirm that a public key belongs to a specific individual, device, or organization, creating a chain of trust on the internet. CAs act as digital notaries, ensuring that users can safely exchange information and verify the identity of websites, email servers, and other services. Well-known global CAs include DigiCert, Sectigo, and Let’s Encrypt. Without CAs, it would be nearly impossible to establish secure and trustworthy connections on a large scale.

How it works

1. A website or entity generates a Certificate Signing Request (CSR) containing its public key.
2. The CA verifies the applicant’s identity, depending on the certificate type (Domain Validation, Organization Validation, or Extended Validation).
3. The CA issues a digital certificate binding the public key to the verified identity.
4. Web browsers and operating systems check certificates against a list of trusted CAs to ensure authenticity.

Why it matters

CAs are central to maintaining security and trust on the internet. They prevent attackers from impersonating legitimate services by ensuring certificates are issued only to verified entities. If a CA is compromised or careless, millions of users may be at risk. For this reason, CAs are heavily regulated and audited.

Examples

• Let’s Encrypt provides free SSL/TLS certificates for millions of websites.
• Extended Validation (EV) certificates from major CAs confirm a company’s legal identity.
• Enterprises often run private CAs to issue certificates for internal apps and devices.