📖 What is Certificate Authority (CA)?
A Certificate Authority (CA) is a trusted third-party entity that issues digital certificates to verify the identity of a person, organization, or server. It acts as the root of trust in a PKI environment, signing certificates to ensure their authenticity and validity.
"The CA is the 'notary' of the internet. If a browser warns that a certificate is not trusted, it means the CA that signed it is not in the browser's trusted root store."
📚 Certification: CompTIA Security+ Certification Exam (SY0-701)
🔑 What are the Key Concepts of Certificate Authority (CA)?
- ▸ Root CAs serve as the ultimate trust anchor in a PKI hierarchy, signing certificates for Intermediate CAs to minimize the risk of root key compromise.
- ▸ Intermediate CAs act as proxies for the Root CA, issuing end-entity certificates to users or servers while keeping the Root CA offline for security.
- ▸ The Certificate Signing Request (CSR) is the initial application sent to a CA, containing the entity's public key and identifying information for verification.
- ▸ CAs maintain Certificate Revocation Lists (CRLs) and provide OCSP responders to allow clients to verify if a certificate was revoked before its expiration date.
- ▸ Trust stores are local databases of trusted root certificates pre-installed in operating systems and browsers, allowing them to validate certificates signed by those CAs.
🎯 How does Certificate Authority (CA) appear on the SY0-701 Exam?
You may be asked to identify the entity responsible for verifying an organization's identity and signing a digital certificate to secure a public-facing web server using TLS, focusing on the role of the trusted third party.
A scenario might describe a user receiving a 'Certificate Not Trusted' warning in their browser; you must determine if the issue is a missing root certificate in the local trust store.
Expect questions about the trade-offs between using a public CA for external trust versus a private CA for internal corporate resources to reduce costs and maintain administrative control over internal identities.
❓ Frequently Asked Questions
Why use an Intermediate CA instead of just the Root CA?
Using an Intermediate CA protects the Root CA's private key by allowing it to remain offline. If an Intermediate CA is compromised, it can be revoked by the Root without needing to replace the entire trust anchor.
What is the difference between CRL and OCSP?
A CRL is a downloadable list of all revoked certificates, which can become very large. OCSP provides a real-time request/response mechanism to check the status of a single certificate, offering better efficiency and timeliness.
Can a company act as its own Certificate Authority?
Yes, this is a Private CA. While it provides full control and no cost per certificate, devices must manually trust the company's root certificate, otherwise, they will trigger security warnings in browsers.