/ˈsɜːr.tɪ.fɪ.kət əˈθɒr.ɪ.ti/
noun — "the trusted entity that vouches for digital identities."
CA, short for Certificate Authority, is a trusted organization or service that issues, manages, and revokes digital certificates within a PKI framework. These certificates bind public keys to verified identities, enabling secure communication, authentication, and data integrity over networks such as the Internet. Essentially, a CA acts as a digital notary, confirming that a public key belongs to the claimed entity.
Technically, a CA performs identity validation for individuals, organizations, or devices before issuing a certificate. It maintains a certificate repository, tracks revocations using Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP), and signs certificates using its own secure private key. Systems and applications trust certificates because they implicitly trust the CA’s root key.
Key characteristics of CA include:
- Trust anchor: serves as a root of trust for digital certificates.
- Certificate issuance: verifies identities and signs public keys.
- Revocation management: tracks and invalidates compromised or expired certificates.
- Compliance: operates under policies and industry standards for security and reliability.
- Scalability: supports millions of certificates for global networks and services.
In practical workflows, applications like web browsers, email clients, and VPNs check a certificate against the issuing CA to validate authenticity. Administrators rely on CA hierarchies and trust chains to ensure secure communications across organizations and the Internet.
Conceptually, a CA is like a trusted notary public in the digital world, certifying identities so parties can interact securely without meeting face-to-face.
Intuition anchor: CA turns unverified digital keys into trusted credentials, forming the foundation of secure online interactions.
Related links include PKI, Encryption, and Digital Signature.