Root CA for Third-Party Providers (e.g., DigiCert)

The Root Certificate Authority (Root CA) is a critical component of the Public Key Infrastructure (PKI) that provides trust for all certificates issued by third-party providers like DigiCert. Below is a detailed table explaining the key aspects of DigiCert's Root CA, where it exists, and how it operates.

Aspect Details
What is a Root CA? The Root CA is the top-most authority in a PKI hierarchy. It is responsible for establishing trust by signing Intermediate CAs or Subordinate CAs, which then issue certificates to end-entities (e.g., websites, applications, users).
Where is DigiCert’s Root CA?
  • Pre-installed in Trusted Root Stores: DigiCert’s Root Certificates are included in Trusted Root Stores of all major platforms:
    • Web Browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, and others.
    • Operating Systems: Windows, macOS, Linux distributions, and mobile OSs like Android and iOS.
  • Stored in Secure Offline Locations: DigiCert’s Root private keys are stored in:
    • Air-gapped systems: To prevent unauthorized access or attacks.
    • Hardware Security Modules (HSMs): Cryptographic devices designed for secure key storage.
    • Multiple geographically dispersed, high-security facilities.
How is it Used? DigiCert uses a hierarchical trust model:
  • The Root CA signs certificates for Intermediate Certificate Authorities (ICAs).
  • Intermediate CAs handle day-to-day operations, issuing certificates to end-users or servers.
This layered model ensures high security and scalability, reducing the risk of exposing the Root CA to potential threats.
Examples of DigiCert Root CAs
  • DigiCert Global Root CA
  • DigiCert High Assurance EV Root CA
  • DigiCert Trusted Root G4
Why is the Root CA Important?
  • Serves as the trust anchor for the PKI, enabling secure communication across the internet.
  • Provides the foundation for issuing SSL/TLS certificates, code signing certificates, and more.
What Happens if the Root CA is Compromised? Severe consequences: If the Root CA is compromised, trust in the entire PKI collapses. DigiCert mitigates this risk by keeping the Root CA private keys offline and signing only a limited number of Intermediate CAs.
How to View DigiCert’s Root CA?
  1. Visit a website secured by DigiCert (e.g., https://www.digicert.com).
  2. Click on the padlock icon in the browser’s address bar.
  3. Select "View Certificate" and examine the certification chain. The topmost certificate is DigiCert’s Root CA.

The Root CA plays a vital role in ensuring secure communication and trust across digital platforms. DigiCert employs stringent security measures to safeguard its Root CAs, ensuring their integrity and reliability.