Trust model - Certificate authorities (CA) or Trusted Third party (TTP)


certificate authorities are the a “gatekeeper” of public and private keys.

They are also known as trusted third party (TTP)

The primary role of the CA is to:

A certification authority is a trusted third party that:

  • can issue public and private keys, thus certifying public keys.
  • works as a depository to store certificate chain and enforce the trust factor.


The signature is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. See Cryptography - Certificate Signing Request



Centralized Model

In a centralized model (Public key infrastructure (PKI)), there are two types of certificate authorities (CAs):

  • Certificate Authority Root Certificates. (trusted)
  • Intermediate Certificate Authority Certificates (not trusted)

A trusted certificate authority is an entity that has been entitled to verify that someone is effectively who it declares to be. In intermediate CA may ask to create certificate to a trusted one creating a chain of trust.

List of root CA:

  • Verisign,
  • Thawte,
  • Geotrust
  • GoDaddy

Decentralized Model




On Centos, the package ca-certificates contains the latest set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.

To get the latest CA,

yum install ca-certificates

It will install all this files

The most important one is /usr/share/pki/ca-trust-source/ which is a bundle of X.509 certificates of public Certificate. It was generated from the Mozilla root CA list.

File (stored under /etc/pki) Description
ca-bundle.crt File contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
/etc/pki/java/cacerts cacert File contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.

To know more, see the documentation of update-ca-trust that manage consolidated and dynamic configuration of CA certificates and associated trust

Example of command:

update-ca-trust force-enable
update-ca-trust extract

Powered by ComboStrap