Skip to content

Certificate Authority (CA)

A Certificate Authority (CA) is an entity that issues digital certificates.^[600-developer-tools-security-security-file-extension-name.md] These certificates serve as electronic credentials that verify the identity of the certificate holder and facilitate secure, encrypted communications, typically via [[SSL]]/TLS.^[600-developer-tools-security-security-file-extension-name.md]

In the context of web security, a CA acts as a trusted third party. Browsers and operating systems inherently trust specific "Root" CAs whose public keys are embedded within the system.^[600-developer-tools-security-security-file-extension-name.md] This creates a "chain of trust," allowing end-users to securely connect to websites without manually verifying the server's identity themselves.

Certificate Formats

CAs issue certificates in various standard file formats, depending on the platform and use case.

  • PEM: The most common format (Base64 encoded ASCII), typically used with Apache servers. Extensions include .pem, .crt, .cer, and .key.^[600-developer-tools-security-security-file-extension-name.md]
  • DER: A binary format often used in Java platforms. It does not contain "BEGIN/END CERTIFICATE" statements like PEM files.^[600-developer-tools-security-security-file-extension-name.md]
  • P7B (PKCS#7): Used in Windows and Java Tomcat, this format stores certificates and chain certificates but excludes the private key.^[600-developer-tools-security-security-file-extension-name.md]
  • PFX/P12 (PKCS#12): A binary format used to store the server certificate, intermediate certificates, and the private key in a single, encrypted file. This is the standard for importing/exporting certificates on Windows machines.^[600-developer-tools-security-security-file-extension-name.md]

The Signing Workflow

The process of obtaining a signed Digital Certificate from a CA typically involves generating a CSR and having the CA sign it.

1. Certificate Signing Request (CSR)

A Certificate Signing Request (CSR) is a file sent to a CA when applying for an SSL certificate^[600-developer-tools-security-security-file-extension-name.md]. It contains essential information about the applicant, such as:

  • Common Name (CN): The domain name to be protected (e.g., www.example.com).
  • Organization (O): The legally registered name of the organization.
  • Organizational Unit (OU): The specific department (e.g., IT).
  • Locality (L), State (ST), Country (C): Geographic information.

The CSR process generates a private key, which must be kept secure by the applicant, while the CSR file is submitted to the vendor^[600-developer-tools-security-security-file-extension-name.md].

2. CA Signing

Once the CSR is submitted, the CA validates the information. Upon validation, the CA uses its own private key to sign the certificate, creating a Digital Signature that binds the public key (from the CSR) to the entity's identity^[600-developer-tools-security-security-file-extension-name.md]. This signature allows clients to verify the certificate using the CA's public root key.

Source Management

CAs manage the lifecycle of certificates, including the issuance of new certificates and the management of Intermediate CAs. Intermediate CAs act as a bridge between the trusted Root CA and the end-entity server certificate, forming a certificate chain^[600-developer-tools-security-security-file-extension-name.md].

Users can also manage trust locally. For example, using the --cacert parameter with curl, a user can specify a specific certificate file to trust for a connection^[600-developer-tools-security-security-file-extension-name.md]. Alternatively, on Windows, the built-in "certificate management system" (certmgr) allows users to view and manage the Root CA certificates trusted by the operating system^[600-developer-tools-security-security-file-extension-name.md].

Sources

  • 600-developer-tools-security-security-file-extension-name.md
  • 600-developer-tools-security-000-moc-security.md