The encrypted digest is called a "digital signature," and when placed into the X.509 certificate, the certificate is said to be "signed." The CA keeps its private key very secure, because if ever ...