Certification authority (CA) certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs.

A certificate that is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust for a CA hierarchy.

Once the trusted root has been established, it can be used to authorize subordinate CAs to issue certificates on its behalf.

CA certificates can also be used to establish trust relationships between CAs in two different public key infrastructure (PKI) hierarchies.

In all of these cases, the CA certificate is critical to defining the certificate path and usage restrictions for all end-entity certificates issued for use in the PKI.

The appropriate configuration of CA certificates for the organization's needs is one of the most powerful tools that an organization has to implement appropriate PKI security. CA certificates contain special configuration data that regulate the CAs to which they are issued. These configuration options can: