Trust model - Certificate authorities (CA) or Trusted Third party (TTP)


certificate authorities are the a “gatekeeper” of public and private keys.

They are also known as trusted third party (TTP)

The primary role of the CA is to:

A certification authority is a trusted third party that:

  • can issue public and private keys, thus certifying public keys.
  • works as a depository to store certificate chain and enforce the trust factor.


The signature is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. See Cryptography - Certificate Signing Request



Centralized Model

In a centralized model (Public key infrastructure (PKI)), there are two types of certificate authorities (CAs):

  • Certificate Authority Root Certificates. (trusted)
  • Intermediate Certificate Authority Certificates (not trusted)

A trusted certificate authority is an entity that has been entitled to verify that someone is effectively who it declares to be. In intermediate CA may ask to create certificate to a trusted one creating a chain of trust.

List of root CA:

  • Verisign,
  • Thawte,
  • Geotrust
  • GoDaddy

Decentralized Model

see Trust model - Web of trust

  • PGP


Requesting a certificate from a local certification authority



On Centos, the package ca-certificates contains the latest set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.

To get the latest CA,

yum install ca-certificates

It will install all this files

The most important one is /usr/share/pki/ca-trust-source/ which is a bundle of X.509 certificates of public Certificate. It was generated from the Mozilla root CA list.

File (stored under /etc/pki) Description
ca-bundle.crt File contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
/etc/pki/java/cacerts cacert File contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.

To know more, see the documentation of update-ca-trust that manage consolidated and dynamic configuration of CA certificates and associated trust

Example of command:

update-ca-trust force-enable
update-ca-trust extract

Discover More
Certificate Validity Period Not Before Not After Portecle
CA Certificate

A CA certificate is a certificate used by a certificate authority to sign certificate. In the chain, it's the Root certificate or the intermediate certificates. Most organizations create an intermediate...
Certbot (letsencrypt | letsencrypt-auto)

Certbot is an acme client (Let’s Encrypt CA) (or any other CA) to issue SSL certificates. Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority...
Certificate Validity Period Not Before Not After Portecle
Certificat and chain verification

A certificate check is equivalent to an authentication. The signature of the certificate is verified with the public key to check if it was signed (issued) by a trusted party (usually a trusted...
Csr Ldap Dn Properties
Cryptography - Certificate Signing Request

When requesting a signed certificate, an additional file must be created. This file is called Certificate Signing Request, generated from the Private Key. See the procedure at signed certificate procedure...
Cryptography - Java cacerts truststore (CA Certificates)

cacerts is the default truststore of Java. It comes with a Java Installation. It's in the jks format and contains CA certificate. If your server’s certificate is signed by a recognized CA, the default...
Chrome Truststore
Cryptography - Truststore

A truststore is a store that is (used normally on the client side) when making decisions what to trust. If you receive data from an entity that you already trust, and if you can verify that the entity...
Email - Encryption

in Email Message can be encrypted using: (in transit and storage) (in transit and storage) (in transit) S/MIME is a long-standing protocol which allows encrypted and signed messages to...
Certificate Validity Period Not Before Not After Portecle
How a certificate is signed ? (known also as issuing or producing)

This article talks how a certificate: is send by a sender (known also as the owner) and gets its signature from a trusted ca to validate the identity of the sender. By signing a certificate, the...
400 Default Page No Required Ssl Certificate
How to configure certification based client authentication with Nginx ?

This article shows you how to configure a client authentication via the ownership of a certificat on a Nginx web server. The server should be already configured for HTTPS as client certificate (client...
Certificate Validity Period Not Before Not After Portecle
Identification Material - Certificate (or Public Key Certificate)

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...

Share this page:
Follow us:
Task Runner