CA Certs Definition
What are CA Certs?
Digital certificates are vital to the modern Internet. A digital certificate contains a public key that can be used to verify digital signatures generated by the key’s owner or to send encrypted messages to them. It also provides information about the domain it’s tied to and the organization that owns that domain.
When using the HTTPS protocol for secure web browsing, the web server will provide its digital certificate. This is used to establish an encrypted, authenticated connection between the user and the web server.
A digital certificate on its own claims that a particular public key is owned by a website, but there’s no proof. Verifying this claim is where public key infrastructure (PKI) and certificate authorities (CAs) come into the picture.
How Does PKI Work?
A digital certificate on its own provides no proof that a public key actually belongs to a particular party. Anyone can generate a digital certificate, so an attacker could create one claiming that a public key that they control is the official public key for a website. This would allow them to perform an on-path attack, intercepting a user’s web traffic to a site and modifying its contents. With a public key that the user believes to belong to the website, they can change the data being sent to the user and generate valid digital signatures.
PKI addresses this concern by building a system for verifying the authenticity of a digital certificate. Certain organizations have been designated as root CAs, giving them the authority to issue digital certificates for certain domains (such as all .com domains). Every computer has a built-in list of root CAs that it implicitly trusts.
When a digital certificate is requested from a root CA, they will verify the requestor’s ownership of the site that the certificate will be issued for. Often, this is accomplished by having the owner place a certain value in a file on the website. After verifying that the requestor can do so — and therefore is the owner of the site — the root CA will issue them a digital certificate for that domain. This digital certificate will be signed by the root CA’s private key, and the corresponding public key will be included to enable verification of that signature.
If someone owns a digital certificate for a certain domain, they have the ability to issue digital certificates for subdomains under that domain. If so, they are acting as an intermediate CA. The user’s digital certificate — which is signed by the intermediate CA — will also include the digital certificate of the intermediate and root CAs.
Verifying the “Chain of Trust”
PKI is designed to create a “chain of trust” between the end user’s digital certificate and the root CA. A digital certificate will include the root CA’s certificate as well as those of any intermediate CAs.
When someone receives a digital certificate, they verify it by working back through the chain of digital signatures. The signature on the end user’s digital certificate — and thus the authenticity of their public key — can be verified with the public key of the next certificate up the chain. This process continues all the way back to the root CA.
A root CA’s digital certificate is self-signed, meaning that it is signed using its own private key. The authenticity of this certificate is verified based on whether the root CA is trusted by a computer.
If all of the digital signatures are verified and the root CA is trusted, then the end user’s public key is likely legitimate if it hasn’t expired or been revoked since its creation. It can then be used to validate digital signatures from the site or to establish encrypted connections with it.
Conclusion
By purchasing a CA cert, a user proves the authenticity of the public key associated with their website. This is essential to the use of protocols like HTTPS, which use that public key to establish secure connections and authenticate the identity of the website to users.