A
CA issues and signs digital certificates, vouching for the identity of certificate holders. Trust hierarchy: Root CA → Intermediate CA(s) → End-entity certificate.
Root CAs are offline for security (minimal attack surface). Intermediate CAs do daily signing operations. Browsers ship with ~150 trusted root CAs. If any CA is compromised, all its issued certs are untrusted. Internal/private CAs are used for enterprise internal certificates.