About signing and root (digital) certificates of authenticity

When you view a secure website, your browser uses cryptography to verify that a certificate authority (CA), usually a trusted independent third party (for example, USERTrust or VeriSign), has registered and identified the server. The verification occurs through the use of SSL certificates. The CA cryptographically signs the web server's certificate with its own certificate. Because your browser trusts the CA, it will therefore also trust the web server.

The CA's certificate must also be signed. It may be self-signed, in which case it is known as a root certificate, or it may be a signing certificate signed by the root certificate. CAs will often sign their signing certificates with their root certificates, and then take the root certificates offline and store them in physically secure facilities. Their signing certificates will then be actively used to sign server certificates.

As long as your browser can either assign a level of trust to the CA's signing certificate, or follow the chain of trust back to the root by checking the cryptographic signatures of all the certificates in the chain, security and trust can be established.

This is document auaw in the Knowledge Base.
Last modified on 2020-10-30 17:02:20.