For public-key cryptography to be valuable, users must be assured that the other parties with whom they communicate are "safe"-that is, their identities and keys are valid and trustworthy. To provide this assurance, all users of a PKI must have a registered identity. These identities are stored in a digital format known as a public key certificate. Certification Authorities (CAs) represent the people, processes, and tools to create digital certificates that securely bind the names of users to their public keys.In creating certificates, CAs act as agents of trust in a PKI. As long as users trust a CA and its business policies for issuing and managing certificates, they can trust certificates issued by the CA. This is known as third-party trust.CAs create certificates for users by digitally signing a set of data that includes the following information (and additional items):
The CA's signature on a certificate allows any tampering with the contents of the certificate to be easily detected. (The CA's signature on a certificate is like a tamper-detection seal on a bottle of pills-any tampering with the contents of a certificate is easily detected) As long as the CA's signature on a certificate can be verified, the certificate has integrity. Since the integrity of a certificate can be determined by verifying the CA's signature, certificates are inherently secure and can be distributed in a completely public manner (for example, through publicly-accessible directory systems).
Users retrieving a public key from a certificate can be assured that the public key is valid. That is, users can trust that the certificate and its associated public key belong to the entity specified by the distinguished name. Users also trust that the public key is still within its defined validity period. In addition, users are assured that the public key may be used safely in the manner for which it was certified by the CA.