• Identity 101
  • Defining Certificate Authority and How It Works

Defining Certificate Authority and How It Works

Okta
Updated: 02/14/2023 - 11:33
Time to read: 4 minutes

A certificate authority can help you prove that you own a digital entity like a website or an email address. This same organisation can issue cryptographic keys used to protect information from hackers and other bad actors.

Some people use certificate authorities for human verification. After establishing a partnership with a recognised company, these people can do things like sign up for checking accounts or cross borders without burdensome paperwork.

But most people and organisations use a certification authority to help them prove digital ownership and protect critical assets. We’ll focus on that use case here.

What is a certificate authority?

As the name implies, a certificate authority issues certificates to authorised people or organisations. You may not know these companies explicitly, and if you've never set up a website, you've never contacted them directly. But every time you visit a protected website, you need certificate authorities to help you.

A certificate authority provides two things:

  • Digital certificates: These small data files contain identity credentials.
  • Cryptographic keys: These pieces of data can encrypt and protect data in transit.

Let's break this down a bit.

A certificate authority is a trusted organisation that certifies ownership. With that process complete (more on that in a minute), the company issues a formal certificate signed by their cryptographic key. Any time your browser wants to ensure that you’re visiting a site someone has vouched for, it can look for that key as proof. If your browser determines that the site is secure, the two trade cryptographic keys for encrypting and decrypting data.

If your website doesn’t connect with a certificate authority, your visitors will get a dialogue box that tells them about the problem. Typically, these warnings tell users that the sites they want to visit just can’t be trusted. Visitors can override these warnings and visit the site anyway. But some won’t take the risk.

How do certification authorities work?

Connecting with CA companies can reassure visitors that your site is secure and trustworthy. It's relatively easy to get started.

Once you choose the right certificate partner, you'll follow these steps:

  • Validation: Some companies use email to verify identity. The addresses listed as the administrative contact must respond to a note to kick off the process. Other companies dig deeper to ensure that a trusted source truly backs the site.

  • Generation: You'll generate a cryptographic set of keys, one public and one private. You'll also fill out a certificate signing request form. You'll send along all of these pieces to your company partner.

  • Verification: The company will check your paperwork and keys. If all is in order, the company will use a cryptographic public key to sign your certificate. You'll get an issuing private key and your signed certificate back.

  • Stored: You'll place your certificate and the proper keys on your website.

Vulnerabilities are present here. If you work with a company that offers minimal validation processes, it's somewhat easy for hackers to jump through your hoops. Your visitors won’t be as safe as they believe they are.

Anyone who hosts a website should be interested in certification. After all, Google wants encryption on all websites, and the company can penalise those who don’t comply. Without a certificate, Google might devalue your site in search.

Who are certificate authorities?

While certification authorities play a critical role in the modern connected world, few of them exist.

Researchers say just seven companies handle most CA requests. They are:

  • DigiCert

  • Sectigo

  • GoDaddy

  • GlobalSign

  • Entrust

  • Trustwave

  • Network Solutions

All of the companies we've listed here agree to abide by industry supervisory organisations, such as the Certificate Authority Security Council, the Common Computing Security Standards Forum, and others. Beware of any unaffiliated group that tries to sell you a certificate. You could be dealing with an imposter.

We talked a bit about cryptographic keys in this blog post. If you're not sure what that term is or how keys work, we've written all about public key encryption here, and we encourage you to check it out.

References

Digital Certificate Dangers, and How to Fight Them. (August 2013). eSecurity Planet.

Security Tip (ST05-010). (November 2019). Cybersecurity and Infrastructure Security Agency.

HTTPS Encryption on the Web. Google.

The Global TLS Certificate Authority Market. (2019). Frost and Sullivan.