Certificate Authority (CA)

A Certificate Authority, or CA, is a trusted third party whose job is to vouch for who someone is in the digital world. Before issuing a digital certificate, the CA checks the applicant's identity to an agreed level of rigor, then signs a certificate that links that verified identity to a specific public key. Anyone who later receives a document or message can check the certificate against the CA and, if they trust the CA, trust the link between the key and the named person. In short, a CA answers the question of whether a public key really belongs to whoever it claims to, so you do not have to take the signer's word for it.

CAs are the backbone of public key infrastructure (PKI), the wider system of keys, certificates, and rules that makes digital signatures verifiable. Your web browser and operating system ship with a built-in list of root CAs they trust, and individual certificates trace back to one of these roots through a chain of intermediate certificates. The same model underlies higher-assurance electronic signatures. Under the EU's eIDAS regulation, Regulation (EU) No 910/2014, a qualified electronic signature (QES) must rely on a qualified certificate issued by a qualified trust service provider, which is a CA whose qualified status has been granted by a national supervisory body and published in an EU member state's trusted list. The CA's accountability and oversight are what give that signature its legal weight.

It helps to be clear about the difference between a CA and what it produces. The CA is the entity, the digital certificate is the credential it issues, and the signing certificate is the certificate a particular signer uses to apply a digital signature. A CA can also revoke a certificate if a key is compromised or an identity changes, and it publishes that revocation so verifiers know to stop trusting the credential.

Not every electronic signature involves a CA at all. Many legally binding e-signatures captured under the US ESIGN Act, enacted in 2000, or the Uniform Electronic Transactions Act (UETA), introduced in 1999, rely on signer authentication and a tamper-evident audit trail rather than a certificate from a CA. CAs become essential when you need cryptographic, third-party-verifiable proof of identity, such as for the advanced (AES) and qualified (QES) tiers in Europe. The right approach depends on the legal regime and the level of assurance a given document calls for.

Examples

• A browser trusts a website because the site's certificate chains back to a root CA already installed on your device.
• A qualified trust service provider in the EU acts as a CA, issuing the qualified certificate that makes a QES legally equivalent to a handwritten signature.
• When a private key is lost or stolen, the CA revokes the matching certificate and publishes the revocation so verifiers stop accepting it.
• A CA verifies an applicant's identity documents before binding their name to a public key inside a signing certificate.