Certificate Authorities and Trust Chains
Learn how root CAs, intermediate CAs, and end-entity certificates form a hierarchy that browsers and operating systems trust.
The Trust Problem in Public Key Crypto
Asymmetric encryption is only useful if you can trust that a public key actually belongs to whom you think it does. Without a trust mechanism, an attacker can intercept your request for someone's public key and substitute their own — a classic man-in-the-middle attack. Public Key Infrastructure (PKI) solves this trust problem by introducing a Certificate Authority (CA) — a trusted third party that digitally signs certificates binding public keys to verified identities. If you trust the CA, you can trust anyone the CA has certified.
What Is a Certificate Authority?
A Certificate Authority (CA) is an organization that issues digital certificates after verifying the identity of the certificate requestor. The CA signs each certificate with its own private key, allowing anyone who trusts the CA to verify the certificate's authenticity using the CA's public key. There are two types: Public CAs (like DigiCert, GlobalSign, Let's Encrypt) whose root certificates are pre-installed in operating systems and browsers; and Private (Internal) CAs that organizations run themselves for internal certificate issuance (VPNs, internal services, device certificates).
# View a website's certificate and issuer
openssl s_client -connect google.com:443 -showcerts 2>/dev/null |
openssl x509 -noout -text | grep -A2 'Issuer'
# Issuer: C = US, O = Google Trust Services, CN = WR2
# Subject: CN = *.google.com
# Check CA certificate details
curl -v https://google.com 2>&1 | grep 'issuer'All lessons in this course
- Certificate Authorities and Trust Chains
- X.509 Certificate Structure
- Certificate Lifecycle and Revocation
- PKI Use Cases: HTTPS, S/MIME, and Code Signing