← Lessons

quiz vs the machine

Gold1410

Security

The Certificate Authorities

How a chain of trusted signers turns a raw public key into a verifiable identity.

5 min read · core · beat Gold to climb

The Binding Problem

A public key alone says nothing about who owns it. A certificate solves this by binding a public key to an identity, such as a domain name, and having a trusted party vouch for that binding.

The Authority

A certificate authority, CA, verifies an applicant and then signs their certificate with the CA private key. Browsers and operating systems ship with a set of trusted root CA public keys built in.

Chains of Trust

  • A root CA signs intermediate CAs.
  • An intermediate signs the server certificate.
  • A client verifies each signature up to a trusted root.

If any link fails to verify or the chain does not reach a trusted root, the certificate is rejected.

Revocation

Keys can be compromised, so CAs publish revocation information so clients can reject certificates that should no longer be trusted before they expire.

Key idea

Certificate authorities bind public keys to identities by signing certificates, and clients trust a server only when its certificate chains up through intermediates to a built in trusted root and has not been revoked.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a certificate authority do?

2. How does a client establish trust in a server certificate?

3. Why do CAs publish revocation information?