What is CA certificate, and why do we need it?

ssl x509 pki
Nicolas S.Xu picture Nicolas S.Xu · Oct 15, 2016 · Viewed 13.5k times · Source

I've just read this article about what is HTTPS service, and understand the basic of https.

When requesting https content, the server will send a public key to browser, so that every time, the browser receive data will decrypted with the public key.

My question is what is CA certificate for? Why do we need it?

Answer

Ding-Yi Chen picture Ding-Yi Chen · Apr 25, 2020

A CA certificate is a digital certificate issued by a certificate authority (CA), so SSL clients (such as web browsers) can use it to verify the SSL certificates sign by this CA.

For example, stackoverflow.com uses Let's encrypt to sign its servers, and SSL certificates send by stackoverflow.com mention they are signed by Let's encrypt. Your browser contains the CA certificate from Let's encrypt and so the browser can use that CA certificate to verify the stackoverflow's SSL certificate and make sure you are indeed talking to real server, not man-in-the-middle.

https://security.stackexchange.com/a/20833/233126 provides a more detail explanation about how TLS/SSL certificates work.

Related questions

How can I generate a self-signed certificate with SubjectAltName using OpenSSL?

I am trying to generate a self-signed certificate with OpenSSL with SubjectAltName in it.While I am generating the csr for the certificate, my guess is I have to use v3 extensions of OpenSSL x509. I am using : openssl req …

Read More
Using HTTPS with REST in Java

I have a REST server made in Grizzly that uses HTTPS and works wonderfully with Firefox. Here's the code: //Build a new Servlet Adapter. ServletAdapter adapter=new ServletAdapter(); adapter.addInitParameter("com.sun.jersey.config.property.packages", "My.services"); adapter.addInitParameter(…

Read More
How to extract CN from X509Certificate in Java?

I am using a SslServerSocket and client certificates and want to extract the CN from the SubjectDN from the client's X509Certificate. At the moment I call cert.getSubjectX500Principal().getName() but this of course gives me the total formatted …

Read More