Skip to main content

Certificate Authority

PAGE

Certificate Authority

Certificate Authorities provide a crucial service for Internet browsers and users, as they verify the association between a domain name like example.com and a cryptographic key. A Certificate Authority provides the owner of the domain name with a signed certificate (a small file) that web visitors can independently verify. The certificate tells browser software "if you use this key to set up secure communications with example.com, no one can intercept those communications." Without such an introduction, browsers would easily succumb to traffic interception.

Besides verifying domain ownership, a Certificate Authority maintains up-to-date information about their certificates. If a Certificate Authority finds out that the information in a certificate is no longer valid, for instance because the corresponding private key was stolen, it has an obligation to revoke that certificate. In practical terms, browser software will query the appropriate Certificate Authority before loading any HTTPS site.1 If the Certificate Authority's response says "the certificate is revoked," the browser will not load the page. Depending on the site's security settings, there may be no option to bypass the resulting error, effectively blocking web users from the site's content.

Revocation is an important and healthy part of the HTTPS ecosystem. Keys do get stolen from time to time, and Certificate Authorities need a way to notify browsers about it. However, because the revocation mechanism provides a way to stop most users from visiting a site, it makes an attractive target for censorious governments and private entities, who may ask Certificate Authorities to take down sites that they dislike.

The CA Browser Forum has a policy document setting out the circumstances in which certificates of websites engaged in illegal activities can be cancelled. Status: active.

Back to top

JavaScript license information