Main Page | See live article | Alphabetical index

Root certificate

A root certificate is an unsigned or self-signed X.509 public key certificate. Normally a X.509 certificate includes a signature from a certificate authority which vouches for its authenticity.

The authenticity of the CA's signature, and whether the CA can be trusted can be determined by examinging its key's certificate in turn. This chain must however end somewhere, and you end up at the root certificate, so called as it is at the root of a tree. (A CA can issue multiple certificates, which can be used to issue multiple certificates in turn, thus creating a tree).

Root certificates are implicitly trusted. They are included with browsers so that SSL connections work without having to review any certificates yourself. However this means you trust your browser's publisher, and the Certificate Authorities it trusts (for a fee), and any one the CA may have issued a certificate-issueing-certificate to, to faithfully authenticate the users of all their certificates. This (transitive) trust is unfounded, but integral to the X.509 certificate chain model.