What’s a Certificate Authority (CA)?
A certificate authority is an institution that distributes digital certificates. Certificate issuance is a critical part of securing interactions on the internet because certificates cryptographically tie an identity to a public key.
Certificates are commonly used in SSL encryption, to authenticate people and devices, and to legitimize documents and code.
A feature of a good certificate authority is ‘ubiquity’. They need to be compatible with as many versions of operating systems and internet browsers as possible so that they can provide uninterrupted validation of certificates to all users across any device or service.
The simple-English answer to the question “What do certificate authorities do?” is this:
They make sure everyone on the internet is who they say they are.
But why should we take their word for it?
Why Do We Trust Certificate Authorities?
You’ll often see the phrase “certificate authority” preceded by the qualifier “trusted” because that trait is so critical to their operation.
A certificate authority has to be trusted by everyone involved to be useful. They are responsible for validating that entities online are indeed who they claim to be. A trusted certificate authority is the reason that clicking a link to “https://www.google.com” actually takes you to Google and not a spoofed site.
Building that trust is an interesting and complicated endeavor. They need to be widely trusted in order to attract customers, and to become trusted, they need to already have customers.
There’s a bit of a chicken-and-egg conundrum here, but there are ways around it.
Trustworthy CAs will be a part of the CA/Browser Forum, a self-organized and self-policing regulatory group for certificate authorities. They collectively create and update guidelines that govern the creation, use, and distribution of certificates on the internet.
A CA that wants to be utilized will also adhere to ‘membership programs’ defined by each browser and operating system. The programs are essentially a set of strict rules and guidelines that have to be followed in order to consider integration.
Older CAs are also generally regarded as more trusted for the same reason that companies put “Established in XXXX” on their logos. People associate longevity with worth.
Part of the process of issuing a certificate is an identity check. Every CA has its own procedures for confirming the identity of the entity applying for a certificate. It’s like a background check, but one that also extends to devices. More stringent procedures make for a more trusted CA.
Certificate Authority Trust Hierarchy
At the core of all certificate authorities is the root certificate and its associated private key. This is a “master key” of sorts – it signs all digital certificates issued by the authority and legitimizes them.
Part of the reason they’re called trusted certificate authorities is because we inherently trust that they keep this root safe. If it were compromised, malicious parties would be able to falsely validate any certificate issued by the CA, which could have catastrophic consequences.
The measures CAs go to in order to protect the root are extreme. They’re usually stored in a secure facility, powered off, and air-gapped so that there is no possible network connection and no potential for theft.
So how does it validate certificates in that state? The root is used to create intermediate certificates, which have the same measure of trust afforded to the root because they are validated by it. At the same time, they are accessible by the public and so can validate certificates in the root’s stead. If an intermediate certificate is compromised, the root is always available as a backup.
What’s a Public Certificate Authority?
A Public CA is, unsurprisingly, a certificate authority that provides services to the general public. Any organization providing CA services to you that you’re not affiliated with is a public CA.
Most public CAs are companies that have garnered the trust of the public at large. There are public CAs run by governments as well.
They are a widely-used utility on the internet. Most forms of security or privacy include a public CA in one form or another. Examples include implementing SSL, signing digital documents, and encrypting emails.
When to Use a Public Certificate Authority
Public CAs issue the majority of certificates. They are the default option and are sufficient for most use cases.
Since you often have to pay for each certificate issued, Public CAs are the best option if you only need to issue a limited number of certificates.
It’s also the go-to solution anytime the situation requires transparent communication over the internet. For any public-facing product or service, you’ll need a public CA.
What’s a Private Certificate Authority?
Private CAs, also called local CAs, are self-hosted certificate authorities usually meant for internal use.
They have an intentionally limited scope – usually only used within an organization such as a very large company or a university. The private CA is really only ‘trusted’ by users within that organization – and that’s okay because it rarely interfaces with outside networks.
Is a private CA Wi-Fi more secure than a public CA Wi-Fi? Yes and no. It’s not inherently more secure because of any infrastructure or software differences. It is more secure because there are fewer links in the chain and less potential failure points.
The obvious downside to a private CA is that you have to set up and run the infrastructure yourself. That represents a significant time and financial commitment, so it’s not commonly used unless it’s necessary.
When to Use a Private Certificate Authority
Despite the hassle, a private CA offers some very significant benefits.
If you foresee needing to issue a high volume of certifications, either because the organization is massive or the certs will need to be reissued frequently, it can be cheaper to run your own CA than to pay for every one issued by a public CA.
Private CAs can also be significantly more secure than their public counterparts. Where a public CA hands out certificates to anyone who pays, private CAs restrict their certificates to specific people or devices (usually those within the organization).
Control over certificate expiration is an important feature to organizations that have a cyclical or time-sensitive nature. It would be a disaster if certificates expired in the middle of the week at a university, disconnecting every person and every device.
Use of a private CA is an important part of creating a robust and secure intranet (internal network).
Running Your Own Private CA and PKI
A private CA is necessary for some organizations, but it can be difficult to set up and maintain. SecureW2 offers a full complement of PKI services, including private CA custom-tailored to your needs. We have affordable options for organizations of any size. Click here to view our pricing options.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Patrick Grubbs. Read the original post at: https://www.securew2.com/blog/public-vs-private-certificate-authority/