What is a Certificate Authority (CA), and why do browsers trust it?
Quick Answer
A Certificate Authority (CA) is an organization trusted to verify that whoever requests a certificate really controls the domain, then sign that certificate. Operating systems and browsers ship with a built-in list of trusted root CAs. Any certificate signed (directly or indirectly) by one of those roots is automatically trusted, without you having to configure anything.
Detailed Answer
Anyone could generate a key pair and claim "I am example.com." A Certificate Authority exists to stop that from being trusted blindly.
Before issuing a certificate, a CA runs a domain validation check. A common example: it asks the requester to publish a specific DNS record, or place a specific file on the web server, to prove they actually control that domain.
Once validation passes, the CA:
- Takes the requester's public key and identity information.
- Signs it with the CA's own private key (see the digital signature question in the previous topic).
- Returns the signed certificate to the requester.
Your operating system and browser come pre-loaded with a list of trusted root CA public keys — companies like DigiCert, Let's Encrypt, and Google Trust Services are common examples. Because your browser already trusts those roots, it can automatically verify any certificate they signed, with no manual setup.
This is why installing a fake certificate on your own laptop does not fool anyone else: their browser was never told to trust your CA. Trust only spreads through certificates signed by CAs already on that trusted list.