certificate authorities are the a “gatekeeper” of public and private keys.
They are also known as trusted third party (TTP)
The primary role of the CA is to:
A certification authority is a trusted third party that:
The signature is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. See Cryptography - Certificate Signing Request
In a centralized model (Public key infrastructure (PKI)), there are two types of certificate authorities (CAs):
A trusted certificate authority is an entity that has been entitled to verify that someone is effectively who it declares to be. In intermediate CA may ask to create certificate to a trusted one creating a chain of trust.
List of root CA:
see Trust model - Web of trust
Requesting a certificate from a local certification authority
On Centos, the package ca-certificates contains the latest set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.
To get the latest CA,
yum install ca-certificates
It will install all this files
The most important one is /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit which is a bundle of X.509 certificates of public Certificate. It was generated from the Mozilla root CA list.
File (stored under /etc/pki) | Description |
---|---|
ca-bundle.crt | File contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. |
ca-bundle.trust.crt | File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. |
/etc/pki/java/cacerts | cacert File contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. |
To know more, see the documentation of update-ca-trust that manage consolidated and dynamic configuration of CA certificates and associated trust
Example of command:
update-ca-trust force-enable
update-ca-trust extract