What is Certificate Authority?

Certificate authorities are the trust anchors of the internet's identity system. When a CA issues a certificate for a domain, it is attesting that the certificate holder has proven control over that domain. Browsers and operating systems ship with a pre-installed set of trusted root CA certificates. When your browser encounters a server's certificate, it traces the chain of signatures back to one of these trusted roots to decide whether to trust the connection.

The certificate issuance process varies by validation level. Domain Validation (DV) certificates require only proof of domain control (typically via DNS or HTTP challenge) and can be issued in minutes. Organization Validation (OV) and Extended Validation (EV) certificates require verifying the legal identity of the requesting organization. Let's Encrypt popularized free, automated DV certificates, dramatically increasing HTTPS adoption across the web.

CA compromise is one of the most serious threats to internet security. If an attacker gains control of a CA's signing key, they can issue fraudulent certificates for any domain, enabling undetectable man-in-the-middle attacks. This has happened — DigiNotar's compromise in 2011 led to its complete distrust and dissolution. Certificate Transparency (CT) logs, a public append-only record of all issued certificates, were introduced to detect such fraudulent issuance quickly.

How Vaulted uses Certificate Authority

Vaulted's HTTPS certificate is issued by a trusted certificate authority, allowing browsers to verify they are connecting to the authentic Vaulted server. This prevents man-in-the-middle attackers from impersonating Vaulted to intercept encrypted secrets or serve malicious JavaScript. While the CA-backed TLS connection protects the transport layer, Vaulted's security model does not rely solely on it — client-side encryption ensures that even a compromised TLS channel would expose only ciphertext, not plaintext secrets.