Skip to content
Latchkey

What Is a Certificate Authority? Explained

A certificate authority (CA) is a trusted organization that issues and signs digital certificates, vouching that a public key really belongs to a named entity.

A public key alone does not tell you whose it is - anyone can generate one. A certificate authority solves that by acting as a trusted notary: it verifies an identity and signs a certificate binding that identity to a public key. CAs are the root of the trust that makes HTTPS work, and they matter in CI whenever a pipeline talks to a server over TLS.

What a certificate authority is

A CA is an entity that issues digital certificates after verifying the requesters identity. By signing a certificate, the CA vouches that the public key inside genuinely belongs to the named subject. Browsers, operating systems, and runners ship with a list of CAs they trust by default.

The chain of trust

Trust flows in a chain. A root CA, kept offline and highly protected, signs intermediate CAs, which sign the certificates servers actually present. A verifier follows the chain from the servers certificate up to a trusted root. If every link checks out, the certificate is trusted.

Public CAs versus private CAs

Public CAs (like the ones behind most HTTPS sites) are trusted by default everywhere. Organizations also run private CAs for internal services; clients must be told to trust that private root explicitly. This distinction matters when a runner needs to reach an internal server.

Certificate authorities in CI

A frequent CI hiccup is a job failing with a certificate-verification error when it hits an internal service signed by a private CA the runner does not trust. The fix is to install the private CA certificate into the runners trust store so TLS verification succeeds.

Adding a private CA to the trust store
# Trust a private CA on a runner in CI
steps:
  - run: |
      cp internal-ca.crt /usr/local/share/ca-certificates/
      update-ca-certificates

Latchkey note

Latchkey runners ship with the standard public CA bundle. To reach internal services signed by your own CA, you install that CA certificate in a job step, exactly as you would on any standard runner.

Key takeaways

  • A certificate authority is a trusted party that signs certificates binding identities to public keys.
  • Trust flows through a chain from a protected root CA down to the certificate a server presents.
  • CI jobs hitting internal services may need the private CA installed in the runners trust store.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →