A Certificate Authority (CA) is a trusted organization that issues digital certificates, enabling secure, encrypted communication over the internet by verifying the identity of websites, servers, and users.
A Certificate Authority (CA) is a trusted third-party entity that digitally signs and issues X.509 certificates, which bind a public key to an identity such as a domain name or organization. CAs act as the trust anchor of the Public Key Infrastructure (PKI) system. When your browser trusts a CA, it automatically trusts any certificate that CA has signed.
Without CAs, there would be no reliable way to verify that the server you connect to is who it claims to be, leaving users vulnerable to man-in-the-middle attacks. CAs make HTTPS possible by providing a chain of trust that browsers and operating systems recognize. Major root CAs are pre-installed in browsers and OS trust stores, forming the backbone of secure internet communication.
A server owner generates a public/private key pair and submits a Certificate Signing Request (CSR) containing the public key and identity details to a CA. The CA validates the requester's identity through domain control verification (DCV) or more rigorous organization validation. Once verified, the CA signs the certificate with its own private key, making it cryptographically verifiable by anyone who trusts that CA.
Root CAs sit at the top of the hierarchy and their certificates are self-signed and embedded directly in trust stores. To limit exposure of the root's private key, CAs issue Intermediate CA certificates, which do the day-to-day work of signing end-entity certificates. Browsers verify a certificate by walking up this chain — from the end certificate through intermediates to a trusted root — a process called chain validation.
If a certificate is compromised or issued in error, the CA can revoke it before its expiration date. Revocation status is published via Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP). Browsers check revocation status to ensure they do not trust a certificate that has been invalidated by its issuing CA.
A critical risk in PKI is a CA issuing a certificate to the wrong party, either through error or compromise — this has happened with real CAs in the past. The CA/Browser Forum sets binding industry rules governing how CAs must validate identities, manage keys, and handle incidents. Always use certificates from publicly trusted CAs for public-facing services, and consider Certificate Transparency (CT) logs to monitor for unauthorized certificates issued for your domain.
© RM Full Stack & AI Engineer · All guides · Roadmaps · Open the app