A certificate authority is an organization that publishes digital documents (Rouse, 2007) which are used to authenticate the identity of a company or entity online. The documents are certificates that include a public key and the name of the person or entity that owns that key, in addition to other vital information about the owner of the key. These certificates allow servers to establish secure connections to users online. This mechanism prevents hackers and cyber criminals from using the identity of the server via an attack known as man-in-the-middle since the server connected to the internet holds a unique public key that cannot be replicated.
There are many certificate authorities that provide certificates since they provide the ability to perform secure transactions online. The top 5 CAs are Comodo, Symantec, GoDaddy, GlobalSign and Digicert (“Top 10 SSL Certificate Providers 2015 | WhichSSL”, 2017). Each of these CAs provides different solutions depending on the needs of the consumer. For example, some CAs provide 24/7 technical support, while others provide a $1.5 million warranty.
The graph below shows the CA market share trends. (“Top 10 SSL Certificate Providers 2015 | WhichSSL”, 2017)
Anyone can issue a certificate, but web browsers would not trust those certificates right away. The CA is responsible for validating the entity or organization using the certificate. After the CA validates the company using this certificate, the web browsers accept those certificates.
Recently, GoDaddy was forced to revoke 9000 certificates from its customers after a bug was detected which caused domain validation issues. Usually, when you purchase a certificate from GoDaddy, the CA provides you with a code to place it on your website. When that code is detected by GoDaddy systems, the validation is complete. However, what the bug did was it provided a successful verification process even when the code was not found in the server configuration. Even though this might have caused a security concern, the encryption was not affected. In addition, users visiting those affected websites were given warnings about the certificate being used. The bug has been fixed right after it was detected. (Muncaster, 2017).
To setup an internal CA for an organization, (Nguyen, 2015) we can use the OpenSSL CA command line tools. These tools give us the power to issue certificates for servers or for clients so they can authenticate to a server. The first step is to create a root key and a root certificate. After creating a root certificate, we can then create an intermediate certificate and verify that intermediate certificate using the root certificate. The reason we do this is for security reasons. In this way, the root certificate will be kept hidden/offline away from attackers and make the intermediate certificate responsible for issuing keys and certificates to server and clients. This way if the intermediate certificate is compromised, we can use the root certificate to revoke the intermediate certificate. The last step is to use the intermediate certificate to issue as much internal certificates as wanted. This is done by clients asking for a CSR, a certificate signing request. Once those certificates are signed by the intermediate certificate, the client or server is given access to the organization.
In some cases, you can use public CAs with your internal private CAs to provide better security. For example, instead of using an offline root certificate, you can use a public certificate and link it to your intermediate private certificate. A certificate revocation list or a CRL is used to list certificates that have been revoked. This way, if an employee leaves the organization, his certificate is revoked and the CRL is used to track those changes. Now, a web application or a server can monitor the CRL to decide whether this employee is given access the next time he tries to login to any of the organization’s devices. A public CA contains data about the owner of the certificate such as his name, email address, the duration of the certificate and its validity. It also includes a certificate ID of the CA, public key, and a hash key to make sure the certificate information was not changed. A root CA must include a country name, organization name, and state name (Martin, 2002).
Martin, F. (2002). What is SSL and what are Certificates?. Tldp.org. Retrieved from http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
Muncaster, P. (2017). GoDaddy Revokes 9000 SSL Certs. Infosecurity Magazine. Retrieved from https://www.infosecurity-magazine.com/news/godaddy-revokes-9000-ssl-certs/
Nguyen, J. (2015). OpenSSL Certificate Authority — Jamie Nguyen. Jamielinux.com. Retrieved from https://jamielinux.com/docs/openssl-certificate-authority/index.html
Rouse, M. (2007). What is certificate authority (CA)? – Definition from WhatIs.com. SearchSecurity. Retrieved from http://searchsecurity.techtarget.com/definition/certificate-authority
Top 10 SSL Certificate Providers 2015 | WhichSSL. (2017). Whichssl.com. Retrieved from https://www.whichssl.com/top-10-ssl-certificate-providers.php