What is a certificate authority and how does it work

Short answer

A certificate authority (CA) is a trusted entity that issues digital certificates verifying that a public key belongs to a specific domain or organization. Browsers trust CAs because their root certificates are pre-installed in the operating system or browser. When you visit an HTTPS site, the browser checks the certificate against its list of trusted CAs. For the protocol this protects, see how does HTTPS encryption work.

Chain of trust

1. Root CA — Self-signed, pre-installed in browsers (e.g., DigiCert, Let's Encrypt's ISRG Root)
2. Intermediate CA — Signed by the root CA; issues end-entity certificates
3. End-entity certificate — Your website's certificate, signed by the intermediate CA

The browser verifies: your cert → intermediate signature → root signature → root is in trust store → trusted.

How certificate issuance works

1. Generate a key pair (private + public) on your server
2. Create a Certificate Signing Request (CSR) with your public key and domain name
3. Submit the CSR to a CA
4. CA verifies you control the domain (DNS challenge, HTTP challenge, or email verification)
5. CA signs your certificate with their intermediate key
6. Install the certificate on your server alongside the intermediate chain

Tips

• Use Let's Encrypt for free, automated certificates via ACME protocol
• Never share your private key — the certificate is public, the key is not. For more on this, see how does hashing work
• Monitor certificate expiration and set up auto-renewal before they expire