What is Certificate Authority or RootCA?

After reading my previous post on how Encryption/Decryption works, lets now dive into What is Certification Authority, how it works, what is Root CA, What is Certificate and etc…

Well first of all, as I motioned in the previous post – learning all this information take’s more than just reading posts. I will do my best to make it short but worthwhile to read.

Certificate Authority is a way to implement Asymmetric Encryption (What is Asymmetric Encryption? read my previous post).

A Certificate Authority is way to “Deal out” or to “Issue” a certificate to people or objects in the organization, so that they can then be used to Encrypt, Decrypt or sign data.

What is a Certificate? I will dive into to more on a different post, but in short it’s a “Electronic Document” that holds information that identifies its holder, and binds it with its Public Key.

The Certificate itself is the Private Key of the person or object.

The Architecture is set like this:

First you need to install a Root Certificate Authority (details and step-by-step guide will be provided on another post).

The Root CA is the one who is issuing all the Certificates.

After Installing the RootCA, I then go and issue Certificates to all the objects or people in my organization.

You can issue Certificates to:

1. People – they use it to Encrypt/Decrypt or to Sign data.

2. Objects – for instance Web Server who uses the Certificate to Encrypt the website and to sign the website.

I already explained how Encryption/Decryption works in that method on the previous post, But I will dive into to it a bit more, now that you know more about the basics of CA.

Let’s say that I have 3 people in my organization – Me, Ilan and Mark.

After we established the organization, the first thing we did was to install a RootCA so that we would be able to send out encrypted data to one another.

After Installing the RootCA, we used it to issue a Certificate to each of us.

Now let’s say I want to send Ilan a message and I want to make sure that only he can read it.

Since we are using the Public Key Infrastructure, I have access to:

1. My own Private Key.

2. Ilan’s and Mark’s Public Keys.

3. The organization’s Public Key.

What is the organization Public Key you ask? well think about it, previously I said that in Public Key Infrastructure, everyone and everything have their own Public and Private Key. And surly enough, every RootCA has its own Public and Private Key. The first own who gets issued a Certificate in the organization is the RootCA itself. 

Now I will explain how I’m going to send Ilan Encrypted Data and you will understand why the RootCA has a Certificate and where it’s being used.

Like I said in my previous post, to send Ilan an Encrypted message I’m going to use his Public Key to Encrypt the message with, and making sure that only Ilan’s Private Key can be used to Decrypt the message.

Now, I said before that I have access to Ilan’s and Marks Public Keys, so that shouldn’t be a problem right? I simply look on the Certificate Issued to Ilan, and it has his personal details (so I won’t confuse him with Mark) and his Public Key.

But let’s say that some Third Party has access to network.

That Third Party also can see Ilan’s Certificate, get to know all the personnel Information on Ilan and can also see Ilan’s Public Key. If that Third Party can see Ilan’s personal details, he can then create his own Certificate (on his RootCA), enter all Ilan’s and thus creating a Certificate that look and feels like Ilan’s.

And I ask you, If it walk’s like a duck, and it sounds like a duck – is it really a duck???

How can I be sure that the Certificate I use encrypt the data is really Ilan’s? and can then be open only by Ilan?

Here come’s the RootCA, with his Certificate.

All the Certificate issued by the RootCA are “Signed” by his Private Key.

Since they are Signed by his Private Key, I can take his Public Key and make sure that in fact the Certificate came from my RootCA, and some other RootCA.

So now, I can take Ilan’s Certificate, Make sure that it’s in fact his with the RootCA’s Public Certificate, and Encrypt the data using Ilan’s Public Key. Now only Ilan will be able to Decrypt it.

Also, one very important thing to keep in mind – each and every Certificate holds information on who issued that Certificate. When I look at a Certificate I can see the RootCA that was used to Issue it and Sign it, and can decide if I trust it or not.

For Example, If I want to send out a message to Larry who is working in another Organization – How do I sign that message to him?

I first have to get his Public Key – his Certificate.

Also, I have to make sure that I get his RootCA Certificate, to make sure that the Certificate Larry sent me is in fact his.

What do you think about this post?