28

I've just read this article about what is HTTPS service, and understand the basic of https.

When requesting https content, the server will send a public key to browser, so that every time, the browser receive data will decrypted with the public key.

My question is what is CA certificate for? Why do we need it?

jww
  • 90,984
  • 81
  • 374
  • 818
Nicolas S.Xu
  • 12,570
  • 27
  • 76
  • 122
  • You don't. Check out [Let's Encrypt.](https://letsencrypt.org/) – erickson Oct 15 '16 at 16:10
  • @erickson Why there is an Authority? My understanding is that, https is point to point, strictly between 2 parties. – Nicolas S.Xu Oct 15 '16 at 16:15
  • 2
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. Also [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Oct 15 '16 at 18:56
  • 1
    @erickson Lets Encrypt still has a CA - the “difference” about LE is that a) it’s free, and b) it’s automatically renewed (or if you can’t automatically it’s probably not worth bothering) - so a double win! – DisappointedByUnaccountableMod Oct 09 '19 at 19:17
  • @NicolasS.Xu SSL certificate come with a public key, then you can use it in HTTPS connection. However, it is not recommended to trust SSL certificates that are not signed by recognised CAs. It is because reputable web-sites are most likely asking recognised CAs to sign their certificates. Average crackers do not do that. – Ding-Yi Chen Jan 28 '22 at 07:58

3 Answers3

18

A CA certificate is a digital certificate issued by a certificate authority (CA), so SSL clients (such as web browsers) can use it to verify the SSL certificates sign by this CA.

For example, stackoverflow.com uses Let's Encrypt to sign its servers, and SSL certificates sent by stackoverflow.com mention they are signed by Let's Encrypt. Your browser contains the CA certificate from Let's Encrypt and so the browser can use that CA certificate to verify the stackoverflow's SSL certificate and make sure you are indeed talking to real server, not man-in-the-middle.

https://security.stackexchange.com/a/20833/233126 provides a more detail explanation about how TLS/SSL certificates work.

rball
  • 6,845
  • 7
  • 48
  • 74
Ding-Yi Chen
  • 2,412
  • 29
  • 27
7

Most certificates do not cost $800 and CAs such as Let's Encrypt are free (at the cost of added inconvenience of periodic and often renewals)

The issue is why would the client trust that the server is the correct server? The answer is that an authority, a CA, issues and vouches for the server certificate. In some manner the CA, verifies the certificate requester. Then the CA provides a public interface to verify a certificate's authenticity. The CA must be know to the client that that is achieved by the OS and/or in the case the browser may also have embedded CAs.

zaph
  • 110,296
  • 20
  • 185
  • 221
7

CA certificate guarantees that you are who you are. It is a third party service which is used by systems

enter image description here

Certificate - is a file which contains a owner info and it's public key. This file is signed by CA with digital signature

Digital signature - is bounded with data(message, document, file...) and owner

//Create a signature by owner
1. generate public and private keys
2. calculate a check sum of data
3. encode calculated check sum by private key

//Check a signature
1. calculate a check sum of data
2. decode the calculated check sum by public key
3. compare check sums from step 1 and 2

[check sum]

yoAlex5
  • 21,739
  • 5
  • 148
  • 151