Certificate Authorities (CA) Play a Crucial Role in the SSL Ecosystem, Here’s Why.

Is it like an organization where you stand in line and wait for your turn to get the paper stamped? You couldn’t be more wrong if you did!

A certificate authority (CA) is an organization that provides digital SSL/TLS Certificates to entities that deal with the collection and storage of user data. The verification of the information provided by the organization claiming to be who they are is done by these entities.

What is a Certificate Authority (CA)?

In today’s age, the smart thief isn’t the one that waits for the owner to go out so that they can execute a residential robbery. The smart thief is the one who knows that accessing the data of 1000 people and taking $5 from them will make it a $5000 couch-warming robbery. Police may as well get tricked into thinking that the thief is in the islands of Somalia.

Now that the internet is being used for the transmission of sensitive data and information, it becomes necessary to look in the direction of user and user-data safety. That’s how the idea of SSL/TLS certificates was born.

Introduced in 1995 by Netscape, SSL/TLS certificate is a technology that encrypts information transmitted between a user and server. In Layman’s terms, these certificates turn sensitive information into an undecipherable format so that a cyber-attacker cannot read or tamper with it. As you may concur, the digital certificates are provided by the certificate authorities. These are the organizations that are publicly trusted by web browsers and the CA/Browser Forum[1]. In addition, CAs verify the identity of the websites’ owner to make sure they are who they claim to be.

What does a Certification Authority Do?

There are two important activities that CA does:

  • Vetting (verifying) identity of the website owner or organization: When you request a certificate from CA, it verifies the information you provide. This information includes the organization’s name, domain name, address, email address and a public key.
  • Issuing the certificate: Once the information is validated, the CA issues the certificate in the name of the organization or domain.

What are the CA Certificates?

If you have a passport, you know how ready you need to be in order to prove who you are!

The questions that are asked to you about your birth and your residence. The proofs you have to give in order to prove you are telling the truth. The passport tells the entire world that you are who you claim to be.

Getting a digital certificate or, say, the CA certificate is a purely online process, and you need to provide the information that is asked to you about the company for which you are requesting the CA certificate. It is the web passport for your website. It contains the information and the encryption key that tells the users that they have made a secured connection with the website. It keeps the data safe from man-in-the-middle (MiTM) attacks.

The Importance of Certificate Authorities in PKI

Certificate Authority is the cornerstone of a larger system called Public Key Infrastructure (PKI). The below image shows the important parts of PKI.

The important aspect of digital security is that the third person should not be able to access the information stored on the servers. The information has to be between the user and the website itself. This asks for the websites to up their security so they get the SSL/TSL certificates.

The certificate authorities are not only responsible for making sure the websites are secured but are also responsible for revoking the certificate if any malicious activity is detected. In simple words, the objective of these authorities is to make sure that the internet stays a safe place for both website owners and users.

Paypal with HTTPS

In the above image, there’s a padlock visible on the left of the URL. This padlock is one of the initial cues that tell the user that the website is safe to use.

Paypal on HTTPS
how to view SSL details in the browser

When the user clicks on the padlock, they can see a tab pop up. The tab shows that the connection is secure. When the user clicks on “Connection is secure,” they land on the tab shown in the image on the right.

The image on the right shows the text “Your information (for example, passwords or credit card numbers) is private when it is sent to this site,” which proves that the website is secured by a CA-approved SSL/TLS certificate.

SSL certificate info in the browser

Upon clicking on “Certification is valid,” a new window appears that shows the certified information from the certification authority. It contains information such as the domain name to which the certificate is provided.

The certification authority that has provided the certificate. In this case, it is DigiCert Inc. This information also contains the date from and through which the certificate stays valid.

How the CA Certificates Work

Once the CA certificate is issued for the website, the users can trust the website with their data.

The Chain Of Trust:

  • The chain of trust is the hierarchical structure of digital certificates in which the originating entity is the root certificate (the certification authority itself)
  • Next up is an intermediate certificate that acts as an insulation between the CA certificate and the end-entity, i.e., the website.
  • Finally, the end-entity certificates are used to validate the website’s, owner’s, or the person’s identity.
root certificate

When does the CA Certificate Get Revoked?

  • In case the certification authority realizes that it has improperly issued a certificate, it revokes the certificate and issues a new one for the same entity.
  • If the CA discovers that the certificate used by an entity is a counterfeit, it revokes the certificate and adds it to the Certificate Revocation List (CRL).

Note: The certificate is not added to the CRL if it has EXPIRED.

Other reasons your certificate might get revoked for:

  • The CA that provided you with the certificate has been compromised.
  • The domain you get the certificate issued for is no longer under your ownership.
  • The operations of your entity are ceased entirely.
  • On the replacement of the old certificate by a new certificate.

Revocation of certificate isn’t uncommon and happens every now and then. In 2019 Google[2] and Apple[3] revoked not thousands but millions of certificates due to the mistaken issuance of non-compliant 63-bit serial numbers.

Public CA vs. Private CA

Public CA Private CA
Public CAs are the certification authorities trusted publicly by the users. Private CA’s function within an organization, and it is ‘trusted’ by the users inside the organization.
Issues the majority of Certificates on the internet. The major use of Private CA is done by large organizations for their internal purposes.
Favorable in scenarios where a limited number of certificates need to be issued. Organizations have multiple domains and departments. So, the Private CA is used in order to create a large number of certificates
For transparent communication over the internet. For the internal operations of an organization.
For providing services and showcasing products to mass audiences, one needs a Public CA. For intra-communication and maintenance of data within the company’s departments.
For Example
Sectigo[4]
Digicert
Entrust Datacard
Globalsign
GoDaddy
Let’s Encrypt
For Example
Virtual Private Networks (VPNs)
Internet Sites
Private E-mail Signing Certificates
Closed User-Group Services
File Sharing Applications

Certification Authority List and Who Certifies the Certifiers?

From the table that we just saw, we understood that there are different certificate authorities that provide the certificates after validating the information received from the website owners.

The List of Popular CAs

Listed below are the most popular CAs from the handful that is available

  • Sectigo SSL[5]
  • Comodo SSL[6]
  • DigiCert SSL
  • Symantec SSL
  • Rapid SSL
  • GeoTrust SSL
  • Thawte SSL
  • Network Solutions SSL
  • GoDaddy SSL
  • Entrust Datacard

This certificate authority List is approved by different larger entities.

This lands us on one question! Who decides which authorities are to be publicly trusted?

Well, it’s a very excellent point to cross your mind!

  • Microsoft decides the CAs to be trusted publicly by Windows Machines
  • Apple decides the CAs to be trusted publicly on their devices and the Safari Browser
  • Mozilla decides the CAs to be trusted publicly in Firefox and Linux Machines

How CAs Help Take Control Over Cyber Crime & Maintain Peace in the Virtual World

We access so many websites and so much data through the internet every single day. The internet happily serves everything to you on a platter with more than what you need.

The CAs are responsible for making the internet a safer place for users and organizations – validating the individuals and organizations – issuing the certificates for authentication, and facilitating encryption. As breachers continue to find a way to commit cybercrime, getting an SSL/TLS certificate isn’t optional now. We hope this article was helpful to you in understanding what certificate authority is.

The post What is a Certificate Authority (CA) in PKI? Here’s the Ultimate Guide[7] appeared first on CheapSSLWeb.com Blog[8].

*** This is a Security Bloggers Network syndicated blog from CheapSSLWeb.com Blog[9] authored by CheapSSLWeb.com Blog[10]. Read the original post at: https://cheapsslweb.com/blog/what-is-a-certificate-authority-in-pki[11]

References

  1. ^ CA/Browser Forum (cabforum.org)
  2. ^ Google (www.techtarget.com)
  3. ^ Apple (www.techtarget.com)
  4. ^ Sectigo (cheapsslweb.com)
  5. ^ Sectigo SSL (cheapsslweb.com)
  6. ^ Comodo SSL (cheapsslweb.com)
  7. ^ What is a Certificate Authority (CA) in PKI? Here’s the Ultimate Guide (cheapsslweb.com)
  8. ^ CheapSSLWeb.com Blog (cheapsslweb.com)
  9. ^ CheapSSLWeb.com Blog (cheapsslweb.com)
  10. ^ Read other posts by CheapSSLWeb.com Blog (securityboulevard.com)
  11. ^ https://cheapsslweb.com/blog/what-is-a-certificate-authority-in-pki (cheapsslweb.com)

Source