Blockchain & Cryptocurrency Glossary

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

  • search-icon Clear Definitions
  • search-icon Practical
  • search-icon Technical
  • search-icon Related Terms

CAs (Certificate Authorities)

2 min read
Pronunciation
[see-eyz / sur-tif-i-kit uh-thawr-i-teez]
Analogy
Think of a Certificate Authority like a government passport office. To get a passport (a digital certificate), you provide proof of your identity. The passport office (the CA) verifies your identity and issues an official passport that contains your photo and details (your public key bound to your identity). Other authorities and countries trust this passport because they trust the issuing government office.
Definition
Certificate Authorities (CAs) are trusted entities in public key infrastructure (PKI) that issue and manage digital certificates. These certificates bind a public key to an identity (e.g., a person, organization, server, or device), verifying that the public key indeed belongs to the claimed entity, which is crucial for secure communication (like HTTPS) and authentication.
Key Points Intro
CAs are foundational to web security and digital trust, verifying identities and issuing digital certificates that enable encrypted communication and authentication.
Key Points

Issue Digital Certificates: Create and sign certificates (e.g., SSL/TLS certificates) that affirm an entity's identity.

Establish Trust: Act as trusted third parties in a hierarchical trust model.

Enable Secure Communication: Crucial for HTTPS, ensuring website authenticity and encrypted data transfer.

Manage Certificate Lifecycle: Responsible for issuing, revoking, and renewing certificates.

Example
When you visit a secure website (HTTPS), your browser checks the website's SSL/TLS certificate. This certificate was issued by a CA (like Let's Encrypt, DigiCert, or GlobalSign) after verifying the website owner's identity and control over the domain. Your browser trusts the CA, and therefore trusts that the website is legitimate and your connection is encrypted.
Technical Deep Dive
CAs are part of a Public Key Infrastructure (PKI). When a CA issues a certificate, it signs the certificate with its own private key. Browsers and operating systems maintain a list of trusted root CAs. When presented with a certificate, software can verify its signature by using the CA's public key, tracing it back to a trusted root CA in a chain of trust. Certificates typically follow the X.509 standard and contain information like the subject's name, public key, issuer's name, serial number, and validity period. Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) are used to check if a certificate has been revoked before its expiry.
Security Warning
If a CA is compromised, attackers could issue fraudulent certificates for malicious websites, potentially leading to man-in-the-middle attacks or phishing. The security of the entire PKI system relies on the integrity and security practices of CAs. Using DANE or Certificate Transparency logs can add layers of security.
Caveat
The centralized nature of traditional CAs is sometimes seen as a single point of failure or control. Some blockchain projects explore decentralized identity or PKI alternatives to mitigate these concerns, though widespread adoption is still developing.
Related Terms
Digital Certificate
Encryption

CAs (Certificate Authorities) - Related Articles

No related articles for this term.