Certificate Authorities – CompTIA Security+ SY0-401: 6.3

Our browser encryption relies on certificate authorities to maintain the trust of your certificates. In this video, you’ll learn how certificate authorities are used on our computers and the differences between a commercial CA and a private CA.

<< Previous Video: Strong vs. Weak EncryptionNext: Key Revocation >>


The use of a certificate authority is what builds the trust inside of our browser when it begins encrypting data to a third party website. That’s the thing that we want to watch for whenever we’re sending encrypted information that we’re not only protecting the data, but we really are exchanging that encrypted data with the right person on the other end. And it’s these certificate authorities that allows us to do this.

The way that this works is that if you need a certificate you go to any one of the certificate authorities. And if you were to look at your browser, you would see behind the scenes listed in all of the certificates is all of these CAs that your browser trusts. So if I go to any one of the CAs and I ask them to provide me with a certificate they will digitally sign it and send it to me. I go through this process of creating a key pair I send my public key to any one of these CAs.

They then confirm that it’s really me. They go through a verification process then they digitally sign it and send it back to me. That means that anybody who then hits my web server can see that it has been digitally signed by a certificate authority that is already trusted inside of the browser. There’s also a number of different trust levels that the CA can provide. You’ll notice when you go to some websites that your browser bar will turn green.

And other websites it turns green and gives you additional verification options. So the CAs can give you, of course, different types of certificates back that provide more, and more, and more security. And they usually will step through a number of different checks to make sure that the person who’s receiving the certificate really is the person on the name of the certificate.

If you’re an organization that has a lot of internal servers that you would like to be able to encrypt data back and forth, you may want to go to an external certificate authority and have to pay them every time you want a certificate. Instead you may want to build all of your certificates in-house. And you would do that by creating your own certificate authority. You would simply set up a certificate authority server in your organization and you would sign all of your internal private keys.

The other side of this, of course, is that you have to take the certificate authority information and install that or push that out onto all of the desktops who will be accessing those servers so that they will trust the servers just as they trust servers that have been signed from commercial certificate authorities. Generally, you’re configuring and setting this all up with things like Microsoft Certificate Servers or OpenCA. There are a lot of different ways to build your own certificate authorities in-house. And if you have a lot of servers and you need to provide that level of encryption with those certificates then you can save a lot of money doing this in-house rather than going outside to a commercial certificate authority.