What Is a Certificate Authority (CA)?

Posts in this series:

• Part 1 — What Is PKI?
• Part 2 (this post) — What Is a Certificate Authority?
• Part 3 — Why PKI Fails
• Part 4 — Certificate Revocation Explained

Certificate Authority Defined

A Certificate Authority (CA) is a trusted system that issues and signs digital certificates. These certificates allow users, devices, and applications to prove their identity and establish secure communication.

Introduction

If PKI is the system that enables trust, the Certificate Authority is the component that makes that trust possible.

Every certificate that is trusted in your environment ultimately traces back to a CA. It is the entity responsible for validating identity and issuing credentials that other systems rely on.

Because of this, the CA is not just another server. It is one of the most critical trust anchors in your entire infrastructure.

Related:  What is PKI?

What Does a Certificate Authority Actually Do?

At a high level, a CA performs three core functions:

It issues certificates, it signs them, and it establishes trust.

When a user or system requests a certificate, the CA evaluates that request based on defined policies. If the request is approved, the CA issues a certificate and signs it using its private key.

That signature is what allows other systems to trust the certificate. If they trust the CA, they trust what the CA has issued.

This process happens continuously in enterprise environments, often without direct visibility from administrators.

Types of Certificate Authorities

Most enterprise PKI environments are built using a hierarchy of CAs rather than a single system.

Root CA

The root CA sits at the top of the trust hierarchy. It is the ultimate trust anchor. Because of its importance, it is typically kept offline and used only to issue certificates to subordinate CAs.

Intermediate or Subordinate CA

Intermediate CAs sit between the root and issuing CAs. They provide additional layers of separation and security. They allow organizations to limit exposure of the root CA while still maintaining a scalable trust model.

Issuing CA

The issuing CA is responsible for issuing certificates to users, devices, and applications. This is the CA that most systems interact with on a day-to-day basis.

Why the CA Is So Critical

The CA is effectively a central authority for identity within your PKI.

If a system trusts the CA, it will trust any certificate issued by that CA. This creates a powerful but risky dependency.

In practice, this means that the security of your entire PKI depends on the integrity of your CA.

If the CA is compromised, an attacker can issue valid certificates for any identity in the environment. That includes users, servers, and services.

This is why protecting the CA is one of the most important aspects of PKI design and operation.

What Happens If a CA Is Compromised?

A compromised CA represents a worst-case scenario for PKI.

Because certificates are trusted credentials, an attacker with control of a CA can issue certificates that appear legitimate. This allows them to impersonate identities, intercept communication, or establish persistent access.

From an operational standpoint, recovery is complex. It may require revoking large portions of the certificate hierarchy and re-establishing trust across the environment.

This is not just a technical issue. It can become a business-wide disruption.

Common CA Misconfigurations

In many environments, CA-related risks are not caused by compromise, but by misconfiguration.

Common issues include:

• Overly permissive certificate templates
• Weak access controls on CA systems
• Lack of separation between CA roles
• Insufficient auditing and monitoring

These issues often develop over time as environments evolve.

How to Secure a Certificate Authority

Securing a CA requires both architectural and operational controls.

From a design perspective, this includes:

• Keeping the root CA offline
• Using layered CA hierarchies
• Limiting access to CA systems

From an operational perspective, it includes:

• Monitoring CA health and activity
• Auditing certificate issuance
• Controlling changes to templates and configuration

Related:  Why PKI Fails

Final Thoughts

The Certificate Authority is the foundation of trust in PKI.

It enables everything else to function, but it also introduces a central point of dependency that must be carefully managed.

Understanding how your CA operates, and how it is secured, is critical to maintaining a trustworthy PKI environment.