They are also known as trusted third party (TTP)
The primary role of the CA is to:
- digitally sign certificate
- and publish the public key bound to a given user.
A certification authority is a trusted third party that:
- can issue public and private keys, thus certifying public keys.
- works as a depository to store certificate chain and enforce the trust factor.
The signature is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. See Cryptography - Certificate Signing Request
In a centralized model (Public key infrastructure (PKI)), there are two types of certificate authorities (CAs):
- Certificate Authority Root Certificates. (trusted)
- Intermediate Certificate Authority Certificates (not trusted)
A trusted certificate authority is an entity that has been entitled to verify that someone is effectively who it declares to be. In intermediate CA may ask to create certificate to a trusted one creating a chain of trust.
List of root CA:
On Centos, the package ca-certificates contains the latest set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.
To get the latest CA,
yum install ca-certificates
It will install all this files
The most important one is /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit which is a bundle of X.509 certificates of public Certificate. It was generated from the Mozilla root CA list.
|File (stored under /etc/pki)||Description|
|ca-bundle.crt||File contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.|
|ca-bundle.trust.crt||File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.|
|/etc/pki/java/cacerts||cacert File contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.|
To know more, see the documentation of update-ca-trust that manage consolidated and dynamic configuration of CA certificates and associated trust
Example of command:
update-ca-trust force-enable update-ca-trust extract