Cryptography Tutorials - Herong's Tutorial Examples - Version 5.35, by Dr. Herong Yang
Why Certificates Need to Be Signed by CA?
This section describes why public keys need to be signed a CA (Certificate Authority). You communication partner can trust the CA, not you.
In the previous chapter, we learned how to put your own public key in a certificate and sign it by your own private key to make it as a self-signed certificate.
Of course, you can send your self-signed certificate to your communication partner and start to use it to encrypt the communication data. However, this only works if your communication partner knows you and trusts your digital signature.
In the case where you communication partner can not trust you directly, what you can do is to send your public key to a certificate authority (CA) and ask them to sign it for you. To do this, you need to put your public key into a certificate signing request (CSR), and mail it to a CA. The CA will verify the request and put your public key in a certificate and sign it with CA's private key.
When your partner receives your public key signed by a CA, he can validate the signature with the CA's public key. If the validation is ok, he can then trust your public key.
Here is a simple diagram that illustrates the certificate signing and validation process:
Your public key You ---- Certificate signing request ---> CA | | | |Sign | | Your public key + CA signature | v You <----- Certificate signed by CA -------- | | |Send |Send | | v CA's public key v Partner <-- Self-signed certificate ------ | |Verify your certificate with CA's public key |to trust your public key in the certificate | v OK
Last update: 2013.
Table of Contents