What is a CA ?

A Certification Authority (CA) is a trusted authority that is responsible for creating, distributing, and revoking digital certificates. A CA issues digital certificates only to users who can prove their identity and credentials to the CA. A CA is the basic building block of a PKI and is known by two attributes: its name and public key. The following is a summary of some important CA responsibilities:

  • Enrollment The first step or interaction in the certification process is for the applicant to register with the CA for a certificate (aka certificate enrollment process). The information that the applicant needs to provide depends on the class of the certificate (class 1, 2 or 3) and the CA policy.
  • Authentication: The next step is for the CA to confirm that the information provided by the applicant is accurate and verified. The confirmation/verification process is critical. If someone masquerades as the user and gets the certificate, he can enter into fraudulent transactions. A CA may issue various levels/classes of certificates and use different confirmation methods for each type of certificate issued (password, email, id card, ...).
  • Certificate Generation: After the confirmation is complete, the CA needs to bind the subject's public key to its identity. The CA then generates a certificate and signs the certificate with its signing private key. The CA then forwards the newly issued certificate to either the Registration Authority (RA) or directly to the subscriber, the original applicant. The CA may also back up the certificate and submit it to a certificate repository for distribution
  • Certificate Distribution: The CA can distribute certificates using a variety of methods including directory services like LDAP, email or online enrollment.
  • Certificate Revocation: A certificate revocation typically originates from an RA or the subscriber directly. The issuing CA is responsible for validating the origin and authenticity of the revocation request prior to revoking the certificate. A CA must maintain status information about certificates during the validity period and provide revocation information to certificate-using systems.


The CA performs four basic PKI functions:

  • Issues certificates (this implies it creates and signs certificates).
  • Maintains certificate status information and issues CRLs.
  • Publishes its current (unexpired) certificates and CRLs, so users can obtain the information they need to implement security services.
  • Maintains archives of status information about the expired or revoked certifi- cates that it issued.