Description
A Certification Authority (CA) is a fundamental component of the Public Key Infrastructure (PKI) within 3GPP security architectures. It is a trusted third-party entity responsible for issuing, revoking, and managing digital certificates. These certificates bind a public key to the identity of a subscriber, a network function (like a gNB or AMF), or a service, enabling cryptographic verification. The CA's core operation involves verifying the identity of an entity requesting a certificate (the subject), signing the certificate with its own private key to create a trusted credential, and publishing the corresponding Certificate Revocation List (CRL) or supporting Online Certificate Status Protocol (OCSP) to declare invalidated certificates. The trust in the entire system hinges on the CA's private key being securely safeguarded and its operational policies being rigorously audited.
In a 3GPP ecosystem, multiple CAs can exist, forming a hierarchy. A root CA, which is self-signed and inherently trusted, issues certificates to subordinate intermediate CAs. These intermediate CAs then issue end-entity certificates to network elements and User Equipment (UE). This hierarchical model allows for scalable trust management and limits the exposure of the root CA's critical private key. The validation of a certificate involves verifying the digital signature chain back to a trusted root CA certificate pre-provisioned in the verifying entity's trust store. This process is central to protocols like TLS/DTLS for securing N1, N2, and N3 interfaces in 5G, and for authentication in scenarios like 5G Network Function service-based architecture.
The CA's role extends beyond mere issuance. It enforces a Certificate Policy (CP) and Certification Practice Statement (CPS) that define the security controls, lifecycle management procedures, and liability frameworks. Key management ceremonies for CA key generation and storage are performed in highly secure, often offline, Hardware Security Modules (HSMs). In 3GPP, CAs support various certificate profiles as defined in specifications, including those for UICC, SUCI/SUPI protection, and network function authentication. The integrity of the PKI, and thus the security of authentication and confidentiality mechanisms in 3GPP networks, is directly dependent on the correct and secure operation of the Certification Authority.
Purpose & Motivation
The Certification Authority exists to solve the fundamental problem of establishing trust in a large-scale, distributed digital environment like a mobile network. Prior to PKI, secure key distribution for symmetric cryptography was cumbersome and did not scale for millions of subscribers and thousands of network nodes. The CA enables asymmetric cryptography by providing a verifiable and trusted association between a public key and an identity. This allows any entity to verify the authenticity of another entity without pre-sharing a secret, which is essential for scenarios like initial network attachment, roaming, and secure service discovery.
Historically, as 3GPP networks evolved from 2G (which used a shared secret in the SIM) to 3G and beyond, the need for more flexible, service-oriented security grew. The introduction of IP-based services, IMS, and later cloud-native 5G core networks demanded a standardized, interoperable method for authentication and secure communication between previously unknown parties. The CA and PKI provide this by decoupling the trust establishment (managed by the CA) from the secure communication (executed by the end entities using certificates). It addresses limitations of proprietary or centralized key management systems by providing a standardized, scalable, and auditable framework for digital trust that underpins modern 3GPP security features like AKA, EAP-TLS, and SEAL.
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (107 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.
In Release 15, the CA function was enhanced with the introduction of 5DL Carrier Aggregation combinations and new 2DL1UL CA combos, expanding the possible bandwidth configurations. Signaling support was added for euCA (Enhancing LTE CA Utilization), and clarifications were made for UE CA capabilities and the handling of Pmax for uplink intra-band contiguous CA. Furthermore, the release introduced procedures for SRB cell mapping and the configuration of multiple PHR (Power Headroom Reports) for CA and EN-DC scenarios.
- Introduction of 5DL CA combinations TS 36.104CR4700
- Introduction of additional band combinations for Intra-band CA TS 36.104CR4734
- Introduction of 5DL CA combinations to 36.104 TS 36.104CR4751
- Introduction of 5DL CA combinations to 36.104 TS 36.104CR4758
- CR to add new 2DL1UL CA combos to 36104 TS 36.104CR4776
- Introduction of 5DL CA combinations to 36.104 TS 36.104CR4789
+ 19 more changes
In Release 16, the enhancements for Carrier Aggregation (CA) and Dual Connectivity (DC) included specific operational clarifications and capability refinements. Key updates introduced procedures for uplink Tx DC location reporting for two-carrier uplink CA and defined handling for unaligned CA signalling. Furthermore, the release clarified restrictions, explicitly stating no support for CA or DC with DAPS handover, and refined UE capability signaling for scenarios like non-contiguous intra-band CA.
- CR for 36.300 for CA&DC enh TS 36.300CR1268
- CR for 36.331 for CA&DC enh TS 36.331CR4216
- CR to TS 38.307 on release independent update for the Rel.16 EN-DC and NR CA/DC TS 38.307CR0040
- CR for 38.331 for CA&DC enh TS 38.331CR1476
- Configuration for directional collision handling between reference cell and other cell for half-duplex operation in CA TS 38.331CR2017
- Uplink Tx DC location reporting for two carrier uplink CA TS 38.331CR2471
+ 22 more changes
In Release 17, the CA function saw enhancements including the introduction of new FR2 bandwidth classes for carrier aggregation, support for UE power class 2 in inter-band CA configurations, and refined test applicability for CA scenarios. The release also introduced the capability for parallel PRACH and SRS/PUCCH/PUSCH transmissions across component carriers in intra-band non-contiguous CA and provided corrections to uplink CA power scaling and spectrum emission parameters.
- CR to 38.807 Release independent for UE power class 2 NR inter-band CA and SUL configurations (R17) TS 38.307CR0051
- Big CR to TS 38.307: intra-band CA with MIMO requirements (R17) TS 38.307CR0101
- Parallel PRACH and SRS/PUCCH/PUSCH transmissions across CCs in intra-band non-contiguous CA [NC-PRACH-SimulTx] TS 38.331CR3577
- Introduction of FR2 FBG2 CA BW classes TS 38.331CR2867
- Introduction of new CA BW classes for FR2-2 TS 38.331CR4498
- Correction to additionalSpectrumEmission for UL CA in n77 for Canada TS 38.331CR3478
+ 18 more changes
In Release 18, the enhancements for the CA (Carrier Aggregation) function included the introduction of sidelink CA for NR V2X and signaling support for intra-band non-collocated NR-CA. The release also brought clarifications and updates to requirements, such as those for ATG BS, and introduced new test case applicabilities for scenarios like FR1 CA with UL MIMO and FR2 NSA power tolerance.
- Introduction of sidelink CA and dynamic resource pool sharing for NR V2X TS 37.985CR0007
- CR to 38.124: EMC requirements for CA and DC combinations TS 38.124CR0049
- Signaling support for intra-band non-collocated NR-CA, EN-DC TS 38.331CR4396
- CR to TR 38.870 to add CA combinations to section 4.3.5 and editorial corrections TS 38.870CR0008
- Clarify pre-registration in CA/RA for NF instance ID verification TS 33.310CR0193
- Clarify the CA requirements for ATG BS in R18 TS 38.104CR0621
+ 16 more changes
In Release 19, the enhancements for the "CA" (Carrier Aggregation) function focused on expanding capabilities and refining test specifications. Key introductions included support for Air-to-Ground (ATG) Base Stations in CA, signaling support for new receiver types in intra-band non-collocated EN-DC/NR-CA deployments, and the addition of test applicability for scenarios like PC1.5 intra-band CA with Transmit Diversity (TxD). The release also brought updates for 3Tx High Power User Equipment (HPUE) in inter-band CA and corrections to release-independent rules for PMI and CA test requirements.
- CR to TS 38.104: Introduction of Rel-19 ATG BS supporting CA TS 38.104CR0728
- CR on TS38.307 Release independent for 3Tx HPUE inter-band CA TS 38.307CR0196
- Introduction of signaling support for intra-band non-collocated EN-DC/NR-CA deployment Phase 2: new receiver type(s) TS 38.331CR5479
- Making NF type as pre-registered parameter in CA/RA for IAK method TS 33.310CR0214
- Addition of Applicability for EVM equalizer spectrum flatness for FR2 CA TS 38.522CR0620
- applicability spec update for CA CQI reporting test cases TS 38.522CR0699
+ 2 more changes
Explore further
Broader topics and technologies where CA plays a role.
Defining Specifications
3GPP specifications that define or reference CA, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TR 21.905 vj00 | 3GPP Technical Terms and Definitions | Rel-19 |
| TR 22.980 vj00 | Network Composition Feasibility Study | Rel-19 |
| TS 23.057 vj00 | Mobile Execution Environment (MExE) Specification | Rel-19 |
| TS 24.109 vj00 | HTTP Digest AKA & GAA Stage 3 | Rel-19 |
| TS 24.587 vj30 | V2X Services Protocols for 5G System | Rel-19 |
| TS 25.211 vj00 | UTRA FDD Layer 1: Transport & Physical Channels | Rel-19 |
| TS 25.214 vj00 | UTRA FDD Physical Layer Procedures | Rel-19 |
| TS 25.222 vj00 | UTRA TDD Multiplexing & Channel Coding | Rel-19 |
| TR 26.917 vj00 | TV Service Enhancements over 3GPP | Rel-19 |
| TS 28.314 vk00 | Management and Orchestration - Plug and Connect | Rel-20 |
| TS 29.109 vj00 | GAA Bootstrapping Interfaces (Zh, Dz, Zn, Zpn) | Rel-19 |
| TS 31.113 v1800 | USAT Interpreter Byte Code Specification | Rel-8 |
| TS 32.373 v1900 | IRP Security Services CORBA Solution | Rel-9 |
| TS 32.376 vj00 | Security services for IRP Solution Set | Rel-19 |
| TS 32.501 vj00 | Self-Configuration of Network Elements Concepts | Rel-19 |
| TS 32.808 v1800 | Common User Profile Storage Framework | Rel-8 |
| TS 33.220 vj00 | Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) | Rel-19 |
| TS 33.221 vj00 | Subscriber Certificate Distribution via GBA | Rel-19 |
| TS 33.222 vj00 | Secure HTTP Access in GAA | Rel-19 |
| TS 33.303 vj00 | ProSe Security Specification for EPS | Rel-19 |
| TS 33.310 vj50 | 3GPP Authentication Framework for Network Nodes | Rel-19 |
| TS 33.320 vj00 | H(e)NB Subsystem Security Architecture | Rel-19 |
| TS 33.776 vj00 | Study of ACME for 5G SBA | Rel-19 |
| TS 33.790 vj10 | Security for Next-Gen Real-Time Communication Phase 2 | Rel-19 |
| TS 33.805 vc00 | 3GPP Network Product Security Assurance Methodology | Rel-12 |
| TS 33.820 v1830 | Home NodeB/eNodeB Security Architecture | Rel-8 |
| TS 33.823 vc20 | GBA Web Browser Integration Study | Rel-12 |
| TR 33.876 vi01 | Technical Report on Certificate Management | Rel-18 |
| TS 33.880 vf10 | Security Study for Enhanced Mission Critical Services | Rel-15 |
| TS 33.885 ve10 | Security Study for V2X Services | Rel-14 |
| TR 33.969 vj00 | Security for Public Warning System (PWS) | Rel-19 |
| TS 36.101 vj30 | LTE UE Radio Transmission & Reception Requirements | Rel-19 |
| TS 36.104 vj10 | Base Station (BS) radio transmission and reception | Rel-19 |
| TS 36.108 vj10 | Satellite Access Node RF Requirements | Rel-19 |
| TS 36.141 vj00 | E-UTRA BS Conformance Testing | Rel-19 |
| TS 36.181 vj30 | E-UTRA RF Test Methods for Satellite Access Node | Rel-19 |
| TS 36.300 vj00 | E-UTRAN Radio Interface Protocol Architecture Overview | Rel-19 |
| TS 36.307 vj10 | Release-Independent Frequency Band Support | Rel-19 |
| TS 36.331 vj00 | LTE RRC Protocol Specification | Rel-19 |
| TS 36.714 | 3GPP TR 36.714 | R99 |
| TS 36.715 | 3GPP TR 36.715 | R99 |
| TS 36.716 | 3GPP TR 36.716 | R99 |
| TS 36.761 vf00 | Extended-Band 12 Study Report | Rel-15 |
| TR 36.770 vi00 | Technical Report for High Power UE in LTE Band 14 | Rel-18 |
| TS 36.790 vf00 | LAA/eLAA for CBRS 3.5GHz Band in US | Rel-15 |
| TS 36.807 va00 | LTE Advanced UE Radio Requirements Study | Rel-10 |
| TS 36.808 va10 | LTE Carrier Aggregation Base Station RF Requirements | Rel-10 |
| TS 36.825 vd00 | Study on Additional LTE TDD Configurations | Rel-13 |
| TS 36.852 | 3GPP TR 36.852 | R99 |
| TS 36.853 | 3GPP TR 36.853 | R99 |
| TS 36.855 vd00 | E-UTRA Positioning Enhancements Study | Rel-13 |
| TS 36.858 ve00 | LTE 2.6 GHz SDL Band Technical Report | Rel-14 |
| TS 36.860 | 3GPP TR 36.860 | R99 |
| TS 36.867 vd00 | LTE DL 4 Rx Antenna Port Study TR | Rel-13 |
| TS 36.894 vd00 | Study on LTE Measurement Gap Enhancement | Rel-13 |
| TS 36.895 vd00 | 700 SDL Band for LTE Carrier Aggregation | Rel-13 |
| TS 36.899 | 3GPP TR 36.899 | R99 |
| TS 37.104 vj10 | MSR Base Station RF Characteristics | Rel-19 |
| TS 37.141 vj10 | RF Test Methods for Multi-Standard Radio Base Stations | Rel-19 |
| TS 37.145 vj10 | AAS Base Station Conducted Conformance Testing | Rel-19 |
| TS 37.320 vj00 | Minimization of Drive Tests (MDT) Overview | Rel-19 |
| TS 37.716 | 3GPP TR 37.716 | R99 |
| TS 37.717 | 3GPP TR 37.717 | R99 |
| TS 37.718 | 3GPP TR 37.718 | R99 |
| TS 37.808 vc00 | PIM Handling for Base Stations Study | Rel-12 |
| TS 37.812 vb30 | Multi-band Multi-standard Radio BS Requirements | Rel-11 |
| TS 37.814 vc00 | L-band Supplemental Downlink for UTRA/E-UTRA | Rel-12 |
| TS 37.842 vd30 | BS RF Requirements for Active Antenna Systems | Rel-13 |
| TR 37.843 vf70 | AAS BS Radiated RF Requirement Background | Rel-15 |
| TS 37.863 | 3GPP TR 37.863 | R99 |
| TS 37.864 | 3GPP TR 37.864 | R99 |
| TS 37.865 | 3GPP TR 37.865 | R99 |
| TS 37.866 | 3GPP TR 37.866 | R99 |
| TS 37.872 vf10 | Technical Report on SUL & LTE-NR DC with SUL | Rel-15 |
| TR 37.878 vi00 | Technical Report on Rel-18 NR V2X Band Combinations | Rel-18 |
| TS 37.898 vj00 | Rel-19 HPUE for EN-DC Band Combinations | Rel-19 |
| TR 37.901 vf10 | UE Application Layer Data Throughput Performance | Rel-15 |
| TR 37.985 vj00 | Overview of V2X features in LTE and NR | Rel-19 |
| TS 38.101 vj31 | NR User Equipment Radio Transmissions | Rel-19 |
| TS 38.104 vj20 | NR Base Station RF Requirements | Rel-19 |
| TS 38.108 vj20 | NTN NR Satellite Access Node RF Requirements | Rel-19 |
| TS 38.113 vj00 | NR Base Station EMC Specification | Rel-19 |
| TS 38.124 vj00 | NR UE EMC Requirements | Rel-19 |
| TS 38.133 vj20 | 5G UE Radio Requirements for RRC_IDLE Mobility | Rel-19 |
| TS 38.141 vj20 | NR Base Station RF Conformance Testing Part 1 | Rel-19 |
| TS 38.161 vj10 | NR UE TRP and TRS Requirements for FR1 | Rel-19 |
| TS 38.174 vj10 | NR Integrated Access and Backhaul Radio Spec | Rel-19 |
| TS 38.175 vj00 | EMC for NR IAB Nodes | Rel-19 |
| TS 38.176 vj20 | IAB Conformance Testing Specification | Rel-19 |
| TS 38.181 vj10 | NR Satellite Access Node RF Testing | Rel-19 |
| TS 38.202 vj00 | 5G NR Physical Layer Services | Rel-19 |
| TS 38.307 vj20 | NR UE Release Independent Requirements | Rel-19 |
| TS 38.331 vj00 | NR Radio Resource Control (RRC) Protocol Specification | Rel-19 |
| TS 38.521 vj20 | NR Physical Layer UE Conformance Testing | Rel-19 |
| TS 38.522 vj11 | UE Conformance Test Applicability Statement | Rel-19 |
| TS 38.523 vj20 | 5G NR UE Conformance Testing: Idle/Inactive | Rel-19 |
| TS 38.561 vj00 | UE Conformance for TRP/TRS FR1 | Rel-19 |
| TS 38.716 | 3GPP TR 38.716 | R99 |
| TS 38.717 | 3GPP TR 38.717 | R99 |
| TS 38.718 | 3GPP TR 38.718 | R99 |
| TS 38.719 vj00 | Rel-19 NR SUL Configurations and CA Band Combinations | Rel-19 |
| TS 38.746 vj00 | High Power UE for NR Inter-band CA/DC | Rel-19 |
| TS 38.750 vj00 | High Power UE for NR Inter-band CA/DC | Rel-19 |
| TS 38.755 vj10 | NR FR1 DL Fragmented Carriers Study | Rel-19 |
| TS 38.792 vj00 | UE RF Requirements for PC1.5 Inter-band UL CA/DC | Rel-19 |
| TS 38.793 vj00 | Simultaneous Rx/Tx Band Combinations TR | Rel-19 |
| TR 38.803 ve40 | Study on Coexistence and RF Feasibility for 5G NR | Rel-14 |
| TR 38.804 ve00 | Study on New Radio Access Technology; Radio Interface Protocol Aspects | Rel-14 |
| TR 38.810 vg70 | NR OTA Test Methods Study | Rel-16 |
| TS 38.817 | 3GPP TR 38.817 | R99 |
| TR 38.820 vg10 | NR; 7-24 GHz Frequency Range Study | Rel-16 |
| TR 38.825 vg00 | Study on NR Industrial IoT | Rel-16 |
| TS 38.831 vg10 | UE RF Requirements for FR2 Enhancements | Rel-16 |
| TR 38.839 vh00 | Simultaneous Rx/Tx band combinations | Rel-17 |
| TR 38.841 vh00 | High power UE for NR inter-band CA | Rel-17 |
| TR 38.842 vh00 | High Power UE for NR CA with Multiple Bands | Rel-17 |
| TR 38.846 vi10 | Technical Report | Rel-18 |
| TS 38.870 vj20 | Enhanced OTA Test Methods for NR FR1 TRP/TRS | Rel-19 |
| TS 38.873 vg00 | NR Band n48 Technical Report | Rel-16 |
| TR 38.880 vi00 | Technical Report for 3Tx inter-band UL CA and EN-DC | Rel-18 |
| TR 38.881 vi00 | Technical Report on Lower MSD for Inter-band CA/EN-DC/DC | Rel-18 |
| TR 38.884 vi20 | Technical Report | Rel-18 |
| TR 38.889 vg00 | NR-based access to unlicensed spectrum study | Rel-16 |
| TR 38.894 vi00 | Technical Report | Rel-18 |
| TR 38.899 vi00 | Technical Report for High Power UE | Rel-18 |
| TR 38.903 vj00 | Test Tolerances & Measurement Uncertainties | Rel-19 |