A certificate authority (CA) is an organization that validates the identities of websites, email addresses, organizations and individuals in the digital realm. After authenticating the source, CAs bind these identities to cryptographic keys by issuing digital certificates.

Role of CAs in digital security

CAs play a pivotal role in securing all digital communication. They authenticate the identity of the organization or individual applying for a digital certificate, ensuring that the enclosed information accurately represents them.

These certificates enable encoded communication between two parties via public key infrastructure (PKI). The CA adds its digital signature to the certificate using a private key which can be verified with a public key, ensuring the certificate’s validity.

What eIDAS says about CAs

The Electronic Identification and Trust Services (eIDAS) regulation does not mention CAs specifically. Instead, it talks about qualified trust service providers (QTSPs). This broad category includes accredited entities that provide a variety of services, including the issuance of electronic seals, signatures, timestamps and qualified certificates.

eIDAS states that QTSPs should verify (adhering to national laws) the identity and specific attributes (if applicable) of the natural or legal entity receiving the certificate.

It also outlines the framework for the supervision and accreditation of QTSPs, emphasizing mutual recognition across EU states.

Core functions

The key responsibilities of CAs include:

Issuing digital certificates

A CA is responsible for issuing digital certificates — abiding by industry standards and best practices — to uphold trust in digital communications and transactions. They must verify the identity of the recipient and issue a certificate that securely links this identity to a public key.

Managing certificate lifecycles

After issuing a digital certificate, it must be managed throughout its validity period. This includes ensuring compliance with security policies, tracking usage and performance, verifying its legitimacy and revoking it if the private key is compromised or the subject matter changes, such as an employee leaving their company, for example.

Publishing certificate revocation lists

Certificate revocation lists (CRLs) are time-stamped lists with information about certificates revoked by the issuing authority before their scheduled expiration. Each entry includes a serial number that identifies a specific certificate and the reason for revocation.

The CA generates this list periodically and signs it with its private key to ensure integrity. CRLs are made available via secure communications channels, including websites and lightweight directory access protocol (LDAP) directories.

Types of certificates issued by CAs

· Digital signature certificates: Add a layer of security to online transactions and communications. They offer a means to validate the identity of the signer and ensure the integrity of the associated data.

· Code signing certificates: Used by software developers and publishers to sign their executable files and software components. They ensure the integrity of the code and allow end users to validate their software downloads.

· Email certificates: Allow entities to sign, encrypt and authenticate email communication, verifying the sender’s and intended recipient’s identities.

· Device certificates: Enable mutual authentication and secure connection between two devices via PKI.

*Disclaimer: This content does not constitute legal advice. The suitability, enforceability or admissibility of electronic documents will likely depend on many factors such as the country or state where you operate, the country or state where the electronic document will be distributed as well as the type of electronic document involved. Appropriate legal counsel should be consulted to analyze any potential legal implications and questions related to the use of electronic documents.