Certificate authorities
As explained before, a certificate authority (CA) is "an entity that is trusted by all communication partners". For TLS communication, this means that a CA is trusted to issue a user certificate only after having checked that the requester for the certificate really is who he says.
For TLS communication, CA is trusted to issue a user certificate only after having checked that the requester for the certificate really is who he says. The extent of this checking is of various degrees. Basic checking usually means verifying that the requester is the owner of the stated e-mail address and internet domain. More elaborate verification may include a proper postal address, entry in a trade register, and even more background checks. The more checking is performed, the trustworthier are the CA and the certificates it issues. These factors also have an effect on the price to be paid for the certificate. This applies mostly to public CAs.
Returning to the basic principle of "an entity that is trusted by all communication partners", a company or organization also can setup its own CA for all internal database communication. As long as all database servers and database clients reside e.g. within the same intranet, all in-house communication partners can agree upon and trust a "home-grown" CA that issues user certificates for the database servers and distributes its own CA certificates to the database clients. As a concept, this may even be acceptable for certain B2B communications, where a database client may be outside of the intranet. Still, the client may trust the CA certificate received from the company for access to a database service of this same company.
With that, the use of CAs can be divided into three basic categories:
- Using a public CA (and paying for the certificates issued).
- Setting up a home-grown CA (for a limited number of well known and trusting communication partners).
- Not using a CA at all (but only using self-signed certificates).