Certificate Authority (CA)
A CA provides services in the field of certificate issuing and electronic signatures, where it acts as a Trusted Third Party. A CA is responsible for the validation of certificate requests, issuing certificates, revocation of invalid certificates and publishing information about certificates which have been revoked.
Trusted Third Party (TTP)
A CA is an example of a Trusted Third Party, or a TTP. A TTP enables the collaboration between two parties unknown to each other, where these parties trust the judgement of the TTP. In this manner, a TTP plays a central role in the Public Key Infrastructure by guaranteeing the reliability of the unknown parties.
Certificate Authority (CA)
A certificate authority (also called certification authority or CA) issues digital certificates to other parties. In doing so, the CA attests that the certificate belongs to the person, organization, server or entity recorded in the certificate. This is accomplished by using their own (root) certificate to sign the public key. Important here is that the user is both able to check the signature of the CA and should be confident of the fact that the CA checks the owner of the certificate.
The root certificates of these CA's are included by default in all common browsers. These certificates ensure that websites connected to the root certificates through an SSL certificate, are trusted automatically by standard browsers. When detecting use of a, to the browser unknown, CA an error message will be shown.
Model of Trust
A CA uses a self-signed root certificate and can be used to issue multiple root- and intermediate certificates. In the resulting tree structure of certificates, all intermediate certificates enjoy the same trust as the Root CA. Using their Root CA, a CA is able to sign one or more intermediate certificates, which in turn enables the CA to sign other certificates (for end-users). Signing by a CA can be seen as a notarized declaration of identity because the CA functions as a TTP in the PKI infrastructure. In case of SSL the web browsers trust the CA root certificates and in doing so all intermediate certificates belonging to those root certificates. This reflects the importance of a trusted Root CA and the consequences if the root certificate falls into the wrong hands.
Types of CA
It is possible for institutions or governments to function as a CA or to administrate their own Certificate Authorities. Furthermore it is possible for commercial CA's to sell certificates to third parties. Xolphin sells the following commercial CA brands:
The images below show the market share per CA per total number of certificates and per validation level, on July 2019. Out of the total number of 68 million actives certificates, there are 54 million DV, 13,5 million OV and more than 200.000 EV certificates.
Total & Domain Validation
Organisation - and Extended Validation
Registration Authority (RA)
An RA is responsible for the processing of certificate applications and validating the identity of the applicants. Certificates can be issued after the this validation has been completed successfully. Most CA's are both CA and RA, but it is possible to (partly) outsource the RA function to third parties. Xolphin is an example of such a third party, and functions as a Registration Authority.