Certificate Authorities and the Chain of Trust
About 2 min read
A certificate authority (CA) is a trusted third party that issues and manages digital certificates. It issues the SSL/TLS certificate for a website, guaranteeing that the site is run by a legitimate operator. The padlock icon shown in the browser address bar indicates that the security of the communication is backed by a certificate issued by a certificate authority. As of 2024, Let's Encrypt manages over 300 million active certificates worldwide, and the adoption rate of HTTPS exceeds 95%.
Real-World Use Cases
"We got an alert that the SSL certificate in the production environment will expire next week. The automatic renewal by Let's Encrypt had been failing, so we fixed the certbot configuration and renewed the certificate manually. Going forward, we will add a setting to send a notification to Slack when a renewal fails."
The Certificate Issuance Flow
Historical Background
The certificate authority mechanism was established in the mid-1990s when Netscape developed SSL. Initially, a small number of commercial certificate authorities such as VeriSign monopolized the market, and obtaining a certificate cost tens of thousands of yen per year. When the nonprofit organization ISRG launched Let's Encrypt in 2015, free DV certificates spread, and the HTTPS adoption rate surged from about 40% in 2015 to over 95% in 2024. In the 2011 DigiNotar incident, a certificate authority was hacked and fraudulent certificates were issued, exposing the vulnerability of the certificate authority trust model itself.
The Role of a Certificate Authority
A certificate authority verifies the applicant's identity and issues a digital certificate that binds a public key to owner information. There are three levels of certificates: DV (domain validation), OV (organization validation), and EV (extended validation), with the EV certificate being issued only after the most rigorous review.PKI and digital certificate books on Amazon offer a detailed look at the topic.
Relation to Anti-Phishing Measures
A common misconception is that "a site is safe as long as the padlock icon is displayed." In reality, even a phishing site can easily obtain a DV certificate, so the padlock icon alone cannot determine whether a site is safe. Get into the habit of carefully checking the domain name in the URL when logging in. Before entering your password, it is important to confirm that the site you are accessing is the legitimate one.anti-phishing books (Amazon) are also helpful references.
Was this article helpful?