In cryptography and computer security, a root certificate is an unsigned
public key certificate, or a self-signed certificate, and is part of a public key
infrastructure scheme. The most common commercial variety is based on the ISO X.509
standard. Normally an X.509 certificate includes a digital signature from a certificate
authority (CA) which vouches for correctness of the data contained in a certificate.
The authenticity of the CA's signature, and whether the CA can be trusted, can be
determined by examining its certificate in turn. This chain must however end somewhere,
and it does so at the root certificate, so called as it is at the root of a tree. (A CA
can issue multiple certificates, which can be used to issue multiple certificates in turn,
thus creating a tree).
Root certificates are implicitly trusted. They are included with many software
applications. The best known is Web browsers; they are used for SSL / TLS secure
connections. However this implies that you trust your browser's publisher to include
correct root certificates, and in turn the certificate authorities it trusts, and anyone
to whom the CA may have issued a certificate-issuing-certificate, to faithfully
authenticate the users of all their certificates. This (transitive) trust in a root
certificate is merely assumed in the usual case, there being no way in practice to better
ground it, but is integral to the X.509 certificate chain model.
