'What is CA certificate, and why do we need it?

I've just read this article about what is HTTPS service, and understand the basic of https.

When requesting https content, the server will send a public key to browser, so that every time, the browser receive data will decrypted with the public key.

My question is what is CA certificate for? Why do we need it?

sslx509pki


Solution 1:[1]

A CA certificate is a digital certificate issued by a certificate authority (CA), so SSL clients (such as web browsers) can use it to verify the SSL certificates sign by this CA.

For example, stackoverflow.com uses Let's Encrypt to sign its servers, and SSL certificates sent by stackoverflow.com mention they are signed by Let's Encrypt. Your browser contains the CA certificate from Let's Encrypt and so the browser can use that CA certificate to verify the stackoverflow's SSL certificate and make sure you are indeed talking to real server, not man-in-the-middle.

https://security.stackexchange.com/a/20833/233126 provides a more detail explanation about how TLS/SSL certificates work.

Solution 2:[2]

Most certificates do not cost $800 and CAs such as Let's Encrypt are free (at the cost of added inconvenience of periodic and often renewals)

The issue is why would the client trust that the server is the correct server? The answer is that an authority, a CA, issues and vouches for the server certificate. In some manner the CA, verifies the certificate requester. Then the CA provides a public interface to verify a certificate's authenticity. The CA must be know to the client that that is achieved by the OS and/or in the case the browser may also have embedded CAs.

Solution 3:[3]

CA certificate guarantees that you are who you are. It is a third party service which is used by systems

enter image description here

Certificate - is a file which contains a owner info and it's public key. This file is signed by CA with digital signature

Digital signature - is bounded with data(message, document, file...) and owner

//Create a signature by owner
1. generate public and private keys
2. calculate a check sum of data
3. encode calculated check sum by private key

//Check a signature
1. calculate a check sum of data
2. decode the calculated check sum by public key
3. compare check sums from step 1 and 2

[check sum]

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 rball
Solution 2 zaph
Solution 3

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

Solving sslv3 alert handshake failure when trying to use a client certificate

Nginx the event was not signaled for 5s

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

How to fix ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1056)?

tls unsigned certificate when using terraform

Library not loaded: /opt/local/lib/libssl.1.0.0.dylib (LoadError)

SSL certificate error for IE users only

Mongodb SSL - unable to get issuer certificate

Where can I find the WAMP error log?

How to convert certificate from PEM to JKS?

CondaHTTPError: HTTP 000 CONNECTION FAILED for url - Anaconda

Getting Chrome to accept self-signed localhost certificate

"ssl module in Python is not available" when installing package with pip3