Certificate Authorities
Certificates are digitally signed by a trusted third party (for example, Verisign) known as a certificate authority (CA). With this type of certificate, the client can trust it to be authentic. The certificate verification involves a “chain of trust”—that is, although you cannot be sure that the information provided to you by a host is true, if the information has been signed (meaning that it has been previously verified and validated) by a trusted CA, then you can trust the information.
The CA can either be public (a company that signs certificates for many systems) or private (an authority set up by an organization to sign certificates for their system only).
Tip: Certificates do not need to be signed by a third party—they can be self-signed. For more information, see Generating Self-Signed Certificates.
CAs are generally recognized by most software (that is, web browsers and operating systems). CA certificates are built into the underlying software. If this is not the case, their certificates can be downloaded from web sites.
When the CA signs the certificate, a message digest is taken of the information within the certificate. A message digest is a computed hash of the message contents which appears at the end of the certificate when it is digitally signed. This digest can be verified at any time by re-calculating it and comparing the newly calculated value with the original message digest. If the two digests match, then the message was not modified between the time it was sent and the time it was received, thus guaranteeing the integrity of the transmitted data.
The message digest is encrypted with the CA's private key using public key cryptography, and is used to determine if the certificate was tampered with.