What is a Certification Authority (CA)?
CA, RA, QCP, LCP, TSP, QTSP, PKI, PTC, CRL, OCSP – what do all these letters mean? The world of trust services is full abbreviations and technical lingo that do not tell much to common users or business professionals. To better understand and use the industry concepts, we will start today by giving you a glimpse of what a Certification (or Certificate) Authority is and why it is important.
What is a Certification Authority (CA)?
A Certification Authority (CA) is an entity (either a trust service provider or a certification service provider) which issues public key certificates, more commonly known as electronic or digital certificates. The CA is also a crucial part of the Public Key Infrastructure (PKI) scheme, as it uses a PKI to issue or revoke public key certificates and provide verifiable statements on their status.
A digital certificate is a digital document that may contain information related to the identity of its owner, that of the issuer and the certificate itself. Having actual identity attributes in a digital certificate is optional; it can alternatively comprise a pseudonym only. The certificate enables the user to authenticate and access various sensitive online services (such as accessing web banking apps, public service platforms etc.). Digital certificates also serve companies and service providers guaranteeing them that the person who accesses their services is the right one.
So, the CA vouches for the accuracy and trustworthiness of the information related to the certificate. It thus acts as a trusted third-party that helps building a relationship of trust between users and companies.
What does a CA do?
The Certification Authority takes care of the entire life cycle of a digital certificate. It is in charge of:
- Activating a certificate. A certificate can be activated upon issuance. At LuxTrust, prior to issuing a qualified certificate, we must verify the identity of the user to make sure the person is who s/he claims to be.
- Re-activating a certificate (in case is was suspended)
- Re-keying. The CA can also take care of the certificate re-keying. Certificates have a limited validity period depending on their types and PKI policies. For example, LuxTrust certificates are valid for a period of 3 years.
- Revoking a certificate: the CA is also authorised to revoke a certificate which makes it irreversibly unusable. This can happen if there are suspicions that the certificate has been compromised or at the request of authorities. A certificate can also be revoked in case the CA discovers that a piece of information on the certificate becomes obsolete or inaccurate.
What types of digital certificate are there and what are they used for?
Digital certificates cover a wide range of online activities and operations and they can be used for different purposes: encipherment, signature, and authentication. Without going into too many details and technical jargon, at LuxTrust, our certificates are can be classified:
Depending on the main reason of usage:
- Certificate for personal use: this certificate is issued to a natural person. This means that the certificate provides information about the individual. Any operation carried out with the certificate keys, such as authentication or electronic signing, is done in the name of a private person.
- Certificate for professional use: is issued to a natural person on request and after confirmation from a legal person or an institution. The certificate contains information not only about the individual (the delegated user), but also about the company that employs him. The professional certificate allows the delegated user to act on behalf of the legal person or the institution, in professional contexts.
- Certificates for securing websites: these refer to the SSL (Secure Sockets Layer) certificates which you can use to secure the connection between a web server and visitors’ browser over the Internet.
Depending on the provided level of assurance regarding the identity of users
- Qualified certificate (as defined in the eIDAS Regulation N ° 910/2014): it offers a high level of assurance over the identity of the user. The qualified certificate is the only type of certificate that enables users to apply qualified e-signatures having the equivalent legal effect of handwritten signatures.
- Lightweight certificate: provides a lighter level of assurance over the identity of users (depending on the means used) and it can be used to produce simple or advanced e-signatures.
What does it involve to become a CA?
If a company wants to become a Certificate Authority, then it needs to procure a certified PKI, define corresponding processes and author a corresponding certificate policy (CP) and practice statement (CPS). Then it has to become successfully recognised and certified by competent authorities. When being a Certification Authority, regulatory compliance is key. In fact, CAs are regularly audited and supervised by authorities to ensure they abide by the current legislation. In case of infraction, CAs are subject to serious consequences that can go up to suspending their services.
LuxTrust has been a Certificate Authority since its inception in 2005. Equipping more than 700,000 users from around the world with trusted digital certificates, the company enables them to authenticate securely on web applications and sign electronically digital documents. Should you wish to find out more about our digital certificates and how to use them, drop us an email here.