The certificate authority, or certification authority, is the public key infrastructure (PKI) entity that digitally signs certificates and certificate revocation lists (CRLs). The CA generates some certificate information but is primarily responsible for collecting information from authorized sources and entering that information into a certificate before signing.
The CA digitally signs and issues a subscriber’s certificate when authorized by the appropriate trusted person or process, called a registration authority (RA). The RA ensures that only valid and appropriate information is included in the certificate and maintains evidence that due diligence was exercised in confirming the information to the required assurance level of the PKI.
Figure 1 – An example of a certificate authority as part of a public key infrastructure (PKI).
Figure 1 shows a certificate authority issuing certificates and CRLs as part of a PKI. The PKI must be operated in accordance with a certificate policy and certificate practice statement (CPS) that establishes the security assurance level of the issued certificates. Periodic audits are performed to confirm that the PKI is being operated in accordance with their CPS.