About
certificate authorities are the a “gatekeeper” of public and private keys.
They are also known as trusted third party (TTP)
The primary role of the CA is to:
- digitally sign certificate
- and publish the public key bound to a given user.
A certification authority is a trusted third party that:
- can issue public and private keys, thus certifying public keys.
- works as a depository to store certificate chain and enforce the trust factor.
Procedure
The signature is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. See What is a Certificate Signing Request (CSR)?
Location
Internet
Centralized Model
In a centralized model (Public key infrastructure (PKI)), there are two types of certificate authorities (CAs):
- Certificate Authority Root Certificates. (trusted)
- Intermediate Certificate Authority Certificates (not trusted)
A trusted certificate authority is an entity that has been entitled to verify that someone is effectively who it declares to be. In intermediate CA may ask to create certificate to a trusted one creating a chain of trust.
List of root CA:
- Verisign,
- Thawte,
- Geotrust
- GoDaddy
Decentralized Model
see Trust model - Web of trust
- PGP
- …
Intranet
Requesting a certificate from a local certification authority
Update
Centos
On Centos, the package ca-certificates contains the latest set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.
To get the latest CA,
yum install ca-certificates
It will install all this files
The most important one is /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit which is a bundle of X.509 certificates of public Certificate. It was generated from the Mozilla root CA list.
File (stored under /etc/pki) | Description |
---|---|
ca-bundle.crt | File contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. |
ca-bundle.trust.crt | File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. |
/etc/pki/java/cacerts | cacert File contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. |
To know more, see the documentation of update-ca-trust that manage consolidated and dynamic configuration of CA certificates and associated trust
Example of command:
update-ca-trust force-enable
update-ca-trust extract