CAs are entrusted to make online interactions more secure, prevent identity theft, and make users more trustful of the organisations they deal with online. According to Google’s Transparency Report, roughly 93.2% of browsing time on Chrome is spent on HTTPS pages that have legitimate digital certificates.
Developing a better understanding and appreciation of the role and importance of a certificate authority can be difficult without familiarising yourself with the key terminology used within the context of online identity authentication and data security.
This glossary aims to demystify the key terms that are commonly used along with CAs.
What is a Certificate Authority and Why Does It Matter?
A CA is an entity whose main responsibility is to issue digital certificates, such as SSL certificates and code-signing certificates. These include root certificates, intermediate certificates, and end-entity certificates. Root certificates and intermediate certificates are fully issued and managed by the CA, while end-entity certificates are co-signed by the client and the CA to add a higher level of security and authentication. These certificates are used to verify the identity of individuals, websites, and organisations online. A digital certificate is basically a link that ties a cryptographic public key to the entity that allows the one party to confirm the identity of the other through the corresponding private key. So, for example, when a site visitor uses their browser to view your website, their browser reads the public key to establish trust and assure the visitor that the communication between the browser and server is secure.
CAs play a crucial role in the Public Key Infrastructure (PKI), ensuring security and creating a chain of trust across users and organisations on the internet. They authenticate domains, websites, and organisations so that users can trust that they are dealing with the legitimate entity they searched for.
For internet users, knowing that they are connected to an authentic website instead of a fake one, having this layer of security can make them confident that their personal data is safe from cyber-attacks.
Understanding SSL/TLS Certificates: A Vital Component
SSL/TLS certificates are integral for maintaining secure online communications.
An SSL/TLS certificate is a digital certificate that encrypts online communications to maintain data security and privacy. Technically, an SSL certificate is a cryptographic file that you install on your server or hosting control panel after obtaining it from a certificate authority. When a user visits a website through HTTPS, both the browser and the server verify each other’s identity before connecting, a process that’s commonly known as a “TLS handshake”. Here are the detailed steps of this procedure:
-
The browser initiates a connection to the server and sends an identity verification request.
-
The server receives the browser’s request and sends back a public key and a copy of its certificate.
-
The browser receives the server certificate and validates it using a list of publicly trusted certificate authorities.
-
If the browser trusts the CA certificate, it creates a session key to start the session to prevent man-in-the-middle attacks.
In the TLS handshake, once both parties successfully authenticate one another, an encryption key is generated and utilised. Primarily, SSL certificates serve two purposes: authentication and encryption. Encryption involves keeping the exchange of information secure with cryptographic keys. This ensures that only the intended end user can decipher the message.
In terms of authentication, SSL/TLS certificates signed by reputable CAs create a chain of trust across users, CAs, and organisations on the internet. Since the certificate authority verifies the entity with a strict validation process before accepting their request to obtain a certificate, it ensures a secure and trusted environment for the user to communicate with the organisation without risking data breaches.
As a user, you can easily check the details of the SSL certificate of the website you are visiting to double-check its validity. Here is the information you should find:
-
The CA that issued the certificate;
-
Information about the public key and the crypto algorithm used to sign the certificate;
-
Details related to the certified domain, as well as information about the organisation (in case of organisation validation certificates);
-
The duration for which the certificate is valid (the expiration date).
The information should be easily accessible on all trusted web browsers.
Three Types of Validation Certificates
There are three types of Validation Certificates that can be issued, based on the extent of validation required to be issued with one.
Domain Validation Certificates: The Basic Level of Trust
Domain validation is the basic level of validation a CA performs when an entity requests a digital certificate. It’s the easiest and fastest certificate to obtain, especially when compared to organisation validation and extended validation certificates. The CA only ensures that the requester is the legitimate owner of the website.
Domain validation certificates are good for low or medium level webmasters who want to create the bare minimum level of trust with their users. It’s not suitable for established businesses or enterprises that aspire to establish a higher level of trust for their users.
Organisation Validation Certificates: Increasing Trust
An Organisation Validation (OV) certificate is a type of digital certificate where the CA goes through a more extensive verification for the certificate requested by the client. It’s typically used when the requester is an organisation, not an individual.
Throughout the verification process, the trusted Certificate Authority ensures that the business is legitimate and verifies the domain ownership. Commonly, organisation validation certificates are used by businesses and government agencies. They present a good option for organisations that want to authenticate and manage multiple identities, without the overheads of an extended validation certificate.
Extended Validation: The Most Rigorous Validation
An extended validation (EV) TLS/SSL certificate is like an OV certificate but with more stringent verification procedures. It’s considered the most rigorous validation process for CAs. A CA may offer an EV certificate depending on the organisation’s size of operations and industry. For instance, a large organisation that has multiple customer-facing touchpoints, such as shopping carts and customer support channels, is more likely to go through a more rigorous validation process than a business with limited customer interactions.
EV certificates meet the x.509 international PKI compliance standards. They are recommended for large businesses and enterprises that need to earn customers’ trust by securing web pages. They can drastically enhance the user experience and minimise bounce rates.
When comparing EV and OV certificates, EV certificates are generally considered more trusted and secure. Nevertheless, both certificates provide enhanced level of trust and security.
If you visit a website with an OV or EV certificate, you’ll still see a padlock icon that refers to the certificate’s authentication, though with a minor visual difference when clicked.
The Importance of Certificate Revocation
Certificate revocation is the process of invalidating a digital certificate if it is found that the key was compromised or the domain it was issued for has expired.
Unlike certificate expiration, where the certificate becomes invalid once it reaches its expiration date, certificate revocation happens immediately, even if the certificate hasn’t expired yet.
Public CAs maintain Certificate Revocation Lists (CRLs) that contain all the invalidated certificates. When a user attempts to establish a connection with a website, the browser checks if the certificate is on the CRL before generating a session key. The certificates in the revocation list typically contain their serial numbers and revocation time.
One disadvantage of CRLs is that the client must go through the entire list to ensure that the certificate is valid. This can be resource-intensive, and in some cases, a certificate may be revoked while the client is checking the CRL, leading them to accidentally accept a seemingly valid certificate.
A modern validation technique that has gained traction recently is the Online Certificate Status Protocol (OCSP). Unlike traditional CRL scanning, the OCSP process starts with the client sending the certificate to the CA it was issued by. Then, the CA responds with the certificate status, which can be “good”, “unknown”, or “revoked”. OCSP is much more reliable and efficient than the CRL method.
Public Key Infrastructure (PKI): The Underlying Architecture
PKI is a number of procedures that regulate and control the entire online authentication and certification landscape. It includes software, policies, hardware, and anything that’s considered vital for issuing, managing, and revoking digital certificates.
The PKI creates a sustainably secure and trustable online environment for users and organisations, particularly in industries that involve the exchange of sensitive information. They are essential for enabling security technologies like encryption, authentication certificates, and digital signatures.
PKIs play a crucial role in establishing and maintaining the identities of people and businesses on the internet, as well as controlling access levels and providing protection for mission-critical data in sensitive transactions. Emerging business applications, especially those that rely on electronic interactions and transactions, in particular, are more dependent on the PKI architecture than legacy applications. They also need to meet more strict compliance laws and regulations, especially when the safety of user data is concerned.
CAs fall under the umbrella of the PKI architecture. They are responsible for issuing certificates, or in other words, linking public keys with their respective users to authenticate their identities. CAs are considered the focal point when it comes to PKI security, and thus, they are a common target for cyber-attacks.
To maintain the security of a PKI, several controls are implemented. These include both logical and physical controls. Other mechanisms, like security modules, are also utilised.
Conclusion
As a public CA with a proven track record that’s vetted and trusted globally, GlobalSign enables channel partners to create trustful relationships with their users and provides a safe online communication environment with a wide range of security and online identity authentication solutions.
Send us an email at marketing-apac@globalsign.com to discuss how we can help you authenticate your business identity and increase the trustworthiness of your online presence.