Certificate Authority Operations

Definition

Certificate Authority (CA) operations encompass the policies, procedures, and technical infrastructure for issuing, managing, renewing, and revoking digital certificates within a Public Key Infrastructure (PKI). CAs serve as trusted third parties that bind public keys to identities, enabling authentication, encryption, and digital signatures across networks.

How It Works

A CA hierarchy typically consists of an offline root CA, one or more intermediate (issuing) CAs, and registration authorities (RAs) that verify certificate requests. The root CA generates a self-signed certificate stored in an HSM kept offline in a physically secured facility, signing only intermediate CA certificates during tightly controlled key ceremonies. Intermediate CAs handle day-to-day certificate issuance, processing Certificate Signing Requests (CSRs) after the RA validates the requestor's identity and domain ownership. Certificate lifecycle management includes automated renewal through protocols like ACME (used by Let's Encrypt), revocation through Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP), and certificate transparency logging to detect unauthorized issuance. Internal enterprise CAs issue certificates for mTLS, code signing, email encryption, and device authentication.

Why It Matters

Compromised CA operations undermine the entire trust model of PKI. The DigiNotar breach in 2011 resulted in fraudulent certificates being issued for Google domains, enabling state-sponsored man-in-the-middle attacks. CA/Browser Forum Baseline Requirements mandate rigorous operational standards. Internal enterprise CAs that lack proper governance create shadow PKI risk -- unauthorized certificates that bypass security controls. Certificate expiration outages have caused major service disruptions at organizations including Microsoft, Spotify, and Ericsson.