Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
An inherently trusted entity — like a root CA certificate or a DNSSEC root key — that serves as the starting point for validating a chain of cryptographic trust.
Trust Anchor Definition: An inherently trusted entity — like a root CA certificate or a DNSSEC root key — that serves as the starting point for validating a chain of cryptographic trust.
A trust anchor is an authoritative, inherently trusted entity — most often a public key or certificate — that serves as the starting point for validating a chain of trust without itself requiring further verification. It is the root of trust from which the authenticity of certificates, signatures, and other entities in a security architecture is derived.
In a public key infrastructure, the trust anchor is typically a root Certificate Authority's self-signed certificate. Validation works upward: an end-entity certificate is signed by an intermediate CA, whose certificate is signed by another CA, and so on until the chain terminates at the trust anchor. A relying party accepts the chain only if it ends at a trust anchor already present in its trusted store. In DNSSEC, the trust anchor is the root zone's public key, configured into resolvers so they can validate the signature chain down to a queried record.
Trust anchors matter because all derived trust collapses if the anchor is compromised. An attacker who can insert a rogue trust anchor into a system's trusted store, or who steals a root CA's private key, can forge certificates that the system will accept as legitimate — enabling undetectable man-in-the-middle interception or signed malware. For this reason root keys are protected in hardware security modules, used sparingly, and the trusted anchor store is tightly controlled.
For example, when a browser connects to an HTTPS site, the server presents its certificate plus intermediates. The browser builds the chain and checks that it terminates at a root CA certificate preinstalled in its trust store — the trust anchor. If it does and every signature validates, the connection is trusted; if the chain ends at an unknown anchor, the browser warns the user that the certificate cannot be verified.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →