What is a Root Certificate?
A root certificate is a digital certificate issued by a public certification authority (CA) to prove its own legitimacy. It is a self-signed certificate, meaning the CA signs its own public key using its private key.
Although self-signed certificates are typically not considered trustworthy, root certificates issued by public certification authorities that adhere to established operational guidelines are recognized as reliable. These trusted root certificates are pre-installed in systems like web browsers.
Certification authorities authorized to issue trusted root certificates are referred to as root CAs (Certification Authorities). The certification authority ecosystem is structured hierarchically, with root CAs at the top. Other certification authorities are validated by higher-level CAs within this hierarchy and are known as intermediate CAs (Intermediate Certification Authorities).
Multiple root CAs exist. For example, electronic certificates used for Japan’s e-Tax system rely on root CAs such as the Government Shared Certification Authority (Official Position CA) and the Government Shared Certification Authority (Application CA 2).
When a web browser communicates with a website, it checks the server certificate presented by the website. Using root certificates stored in the browser, it decrypts the server certificate's signature to verify its authenticity. If the server certificate was signed by an intermediate CA, the browser traces the chain of CAs until it reaches the root CA.