Starting from the definition: A certificate authority or certification authority (CA) is an entity that issues digital certificates.
There are two types of certificate authorities:
- A public certificate authority (public CA) is a third party that browsers, individuals, operating systems, and applications implicitly trust to issue digital certificates for use in public channels.
- A private certificate authority (private CA) is an internal entity that issues digital certificates that are only known and trusted inside the organization’s internal network and IT environment.
Therefore, a public CA plays a key role in creating a chain of external trust. Becoming a public CA requires resources, money and certain requirements that have to be met as a minimum. Trusted CA’s need to undergo regular audit checks by independent parties, adhere to industry guidelines and maintain best practices to secure their infrastructure.
Public CA’s play a critical role in the operation of the internet and how transparent, trusted transactions can take place online. Without certificate authorities; shopping, banking and browsing the internet would be less secure. Certificate authorities validate organizations, people and devices by issuing digital certificates, and it is these certificates that are used to encrypt transactions, protect information and to enable secure communication. Prior to issuing a digital certificate, the CA needs to carry out a validation process, checking the identity of the applicant. Depending on the type of certificate required, information such as site ownership, name, location and company checks may be necessary.
Here are some examples of digital certificate use cases:
- Banking and financial services require qualified certificates and seals for the purpose of identifying other legal entities such as payment service providers and other banks and financial institutions, including insurance companies. These certificates encrypt communications and verify licenced roles and are a legal requirement for PSD2 enhanced security measures.
- A company that needs to sign software releases and validate software from the developer or vendor will require a code signing certificate.
- To secure Internet of Things (IoT), (including eHealth) devices - IoT device certificates are required.
- Any website that wants to display a secure padlock and enable HTTPS needs to acquire a TLS/ SSL certificate.