A digital certificate, also called a root certificate, that can be used to verify the identity of a certificate authority (CA).
The CA certificate contains the identification information and public key for the certificate authority it identifies.
A certificate authority that is part of a hierarchical public key infrastructure (PKI) receives its CA certificate from the CA directly above it in the hierarchy.
A root CA at the top of a PKI hierarchy must self-sign its own certificate, in effect certifying itself.
The CA certificate plays an important part in the workings of the Secure Sockets Layer (SSL) protocol. The public key of the CA, contained in the CA certificate, is used to validate all other digital certificates that have been issued by that CA for entities (individuals, systems, companies, and organizations). When an entity such as a Web browser (perhaps Microsoft Internet Explorer) or a Web server (perhaps Internet Information Services) requests a digital certificate from a CA, the CA certificate identifies the CA that issues the certificate.
This CA certificate is downloaded from a shared storage location at the certificate authority and installed onto the Web server or browser. Later, when the Web browser tries to access the Web server using the SSL protocol, the Web browser uses the CA certificate to validate the Web server’s certificate. Similarly, the server can use the CA certificate to validate the browser client’s certificate, if it has one.
CA Certificate example
The digital CA certificate for a certificate authority must be kept in a location that is readily available for all servers and clients that will access it and install it on their Web browser or Web server. From this location, Web servers and Web clients that need to use the SSL protocol must obtain and install the CA certificate in their certificate stores. On Microsoft Certificate Server this location is the default Web location http://Server Name/certsrv, where Server Name is the name of the Microsoft Windows NT server on which Microsoft Certificate Server is installed.
Internet Explorer comes with the CA certificates of a number of certificate authorities preinstalled. These root certificates enable Internet Explorer to be used for SSL authentication, sending secure e-mail, and so on. If you want to use the services of a CA that does not have its CA root certificate installed in Internet Explorer, you can visit that CA’s Web site to find instructions on how to obtain their root certificate. Administrators can also use the Internet Explorer Administration Kit (IEAK) for importing and installing root certificates on Web browsers prior to installation on client machines.