Home

rootCA

A Root Certificate Authority, or Root CA, is a certificate authority whose own certificate is self-signed and is trusted by devices and software as the ultimate anchor of trust in a public key infrastructure (PKI). The root key is used to sign one or more intermediate CAs, which in turn issue end-entity certificates such as TLS server certificates. The security of the entire PKI depends on the integrity of the root key.

In a typical PKI hierarchy, trust is established through a chain of certificates: the root CA signs

Security and lifecycle considerations are central to Root CAs. Because a root key compromise would affect many

Root CAs are foundational to deployments such as TLS, code signing, and email security. They are governed

an
intermediate
CA,
the
intermediate
signs
leaf
or
end-entity
certificates,
and
clients
validate
a
presented
certificate
by
tracing
a
path
back
to
a
trusted
root
in
their
trust
store.
Root
CAs
are
usually
offline
or
highly
protected;
intermediates
are
used
for
day-to-day
issuance
to
reduce
risk
to
the
root
key.
certificates,
root
keys
are
often
stored
offline
in
hardware
security
modules
and
only
used
in
controlled
environments.
Root
certificates
are
embedded
in
the
trusted
stores
of
operating
systems
and
browsers,
and
updates
to
trust
require
careful
governance,
audits,
and
sometimes
cross-signing
or
new
root
issuance.
Root
certificates
typically
have
long
validity
periods,
while
intermediate
and
end-entity
certificates
have
shorter
lifetimes.
Revocation
mechanisms
(such
as
CRLs
or
OCSP)
apply
to
issued
certificates;
a
compromised
root
may
trigger
revocation
and
replacement
of
affected
trust
anchors.
by
industry
standards
and
baselines
that
define
issuance
practices,
audits,
and
lifecycle
management
to
maintain
overall
trust
in
the
PKI.