Certificate authorities are the backbone of the SSL industry and the spine that holds all the encryption and security processes together. We cannot create or request SSL certificates without a certificate authority.
Whether you need a self-signed certificate for your intranet organization or a public SSL cert to secure your website, a certificate issuing authority governs the SSL issuing process. So, what is a certificate authority, and how it works? This guide provides the answers.
Table of Contents
- What is a Certificate Authority?
- What is the history of Certificate Authorities?
- Who regulates Certificate Authorities?
- What are the types of Certificate Authorities?
- What is the list of trusted Certificate Authorities?
- What is the best Certificate Authority?
- What is the cheapest Certificate Authority?
- What is the list of untrusted Certificate Authorities?
- Can you create your own Certificate Authority?
- Frequently Asked Questions
- Final Thoughts
What is a Certificate Authority?
A certificate authority (CA) or certification authority is a trusted entity that issues digital certificates which confirm domain ownership and the applicant’s identity. CAs play a fundamental role in establishing trust and secure communications between browsers and servers by verifying that the client or organization in question is indeed who they claim to be.
Anyone can become a CA and issue self-signed certificates, but only a select few companies end up signing SSL/TLS certificates for the general public.
What do Certificate Authorities do?
In essence, all a certificate authority does is validate the identity of the individual or company that requests the SSL certificate. The process is similar to how a notary works. Behind the scenes, public CAs follow strict guidelines and pass regular audit checks to comply with the latest industry practices.
How do Certificate Authorities work?
Depending on the SSL validation level, the CAs perform extensive checks to determine the domain ownership and business identity. If you request a Domain Validation certificate, your certificate authority will use several quick methods to confirm that you own the domain. However, if you order a Business Validation or an Extended Validation certificate, the CA will run a thorough vetting process via local public databases or use your LEI number.
After the certificate authority authenticates the applicant, it will sign the digital certificate with its root and intermediate CA certificates, thus completing the SSL chain of trust and making your SSL cert compatible with all browsers.
The CA is the ultimate owner of the certificate status and is the entity trusted by all others. It keeps the entire SSL ecosystem safe and mitigates potential data breaches. If CAs roots are compromised, browsers and apps won’t trust it anymore, spelling a likely end to its existence.
Universal trust on the Web doesn’t come for granted. It relies on safety directives and efficient cooperation between the SSL industry’s decision-makers. Just like web encryption has come a long way since the first draft of the now-defunct SSL protocol, CAs have forged their path with ups and downs to attain the reliability of today.
In the following sections, you will discover a brief history of Certificates Authorities and who ultimately regulates them.
What is the history of Certificate Authorities?
It was 1995 when Mark Richard Shuttleworth, a young South African-British entrepreneur, founded Thawte. Run from Shuttleworth parents’ garage, Thawte became the first Certificate Authority to issue public SSL certs outside the United States.
In the same year, across the Atlantic, Verisign was established as a spin-off of the RSA Security certification services business. The new company served as a Certificate Authority and, in the following years, gained about 50% of the market share. The other half belonged to Thawte. Both Verisign and Thawte had certificates in the first Netscape browsers.
In 1999, Verisign acquired Thawte from Shuttleworth for $575 million and cemented its place as the market leader at the start of the new millennium.
Around that time, in 2002, a new Certificate Authority came into the spotlight. The now-renowned GeoTrust brand was the first CA to issue public domain-validated SSL certificates.
In 2007, Comodo CA (now Sectigo) organized the first meeting of the CA/Browser Forum. The voluntary consortium of CAs, Internet Browsers, and vendors of operating systems contributed to the adoption of the first Extended Validation guidelines.
In 2010 Verisign sold to Symantec its entire authentication business unit, which included SSL Certificate, Public Key Infrastructure, Verisign Trust, and Verisign Identity Protection authentication services.
After a series of security incidents, Symantec sold in 2017 to DigiCert its digital certificate business, including the Verisign, Thawte, GeoTrust, and RapidSSL brands. The whole deal was worth $950 million.
Who regulates Certificate Authorities?
If the certifying authorities are responsible for SSL validation and revocation, who regulates them? To answer this question, let’s inspect all parties involved in this complex process.
Browsers and Applications
Browsers and applications define the rules that govern CAs. All browsers contain information about trusted CAs in their installation pack, also known as a root store. Browsers will accept SSL Certs issued by public CAs only if CAs’ roots are already marked as trusted in the root store.
Not all browsers keep their own trusted root store. They also rely on the client’s operating system root store. If a CA’s root issues a digital Certificate that isn’t part of the browser’s root store or the operating system’s, the browser will warn users not to trust the SSL certificate.
But how do browsers determine which CA roots to trust? Well, they’ve always had predetermined rules on how CAs should function. On top of that, they are continuously improving them to establish high-end security standards.
Over time they’ve successfully eliminated weaker algorithms such as MD5 and SHA-1. They also removed outdated key sizes such as 512-bit and 1024-bit. If CAs don’t meet the exhaustive list of browser requirements, they are removed from the browsers’ trusted root store.
Browsers and CAs
Browsers have a significant say in how CAs should operate. However, a Browser is not the only entity that regulates trusted Certificate Authorities. CAs themselves, with the browsers’ approval, adopted several essential guidelines that revolutionized the SSL landscape.
CAs and browsers have joined forces and established the CA/Browser Forum, a voluntary organization of over 50 CA members and nine browser members that sets the SSL industry standards.
WebTrust/ETSI audit regimes
After the members of the CAB Forum approve each set of guidelines and updates, they submit them to either the Canadian Institute of Chartered Accountants/American Institute of CPAs (Certified Public Accountants) or the European Telecommunications Standards Institute (ETSI).
The new rules then become the new WebTrust audit guidelines or ETSI standards. Finally, the browsers can add them to their trusted root store requirements, and the CAs must adhere to them.
In conclusion, Browsers and CAs oversee together all web security aspects. Their combined effort in improving SSL industry standards has made SSL encryption secure and out of hackers’ reach.
What are the types of Certificate Authorities?
When discussing different Certificate Authority types, we must classify them according to their hierarchy, products, and trust level. We’ll start with the hierarchical order that consists of a root CA, an intermediate CA, and an issuing CA.
What is a root Certificate Authority?
A root certificate authority is the CA that self-signs the root certificates, which browsers and operating systems trust by default. Since such certificates are valid without further verification, they are stored on physical devices and kept behind highly guarded vaults.
What is an intermediate Certificate Authority?
An intermediate certification authority is a CA not trusted by browsers and operating systems but whose certificates are signed by a root CA. If an application can verify that the certificates issued by an intermediate CA trace back to the root CA, they are considered valid.
The role of intermediate CAs is to act as an additional layer of security between the root CAs and the issuing CAs. In the event of a security breach, the intermediate CA will mitigate the potential security impact.
What is an issuing Certificate Authority?
An issuing certificate authority is the CA that provides SSL certificates to the end-users. It subordinates to an intermediate CA that uses its public key to sign the issuing CA. Certificates signed by an issuing CA have a one-year validity and are trusted by browsers only if they’re chained to their respective intermediates and roots.
When it comes to trust, CAs are divided into two main branches: public CAs and private Certificate Authorities.
What is the difference between a public Certificate Authority and a Private CA?
A public certificate authority is a trusted CA controlled by a third-party organization, usually for issuing SSL certificates to the general public. All commercial and open-source CAs whose SSL certs are trusted by browsers and operating systems are public certificate authorities. In turn, public CAs can be further classified into commercial CAs and open-source CAs.
Commercial CAs offer paid digital certificates with the highest level of trust and security. They are the only CAs to provide Business Validation, Extended Validation, and multi-domain SSL certificates.
Open-source CAs issue free SSL certs trusted by browsers and operating systems. These CAs can validate domain ownership only and are suited to personal websites, blogs, or online portfolios that don’t deal with online transactions.
A private certificate authority is a CA operated by a single organization, generally to issue digital certificates to its devices and employees. Private SSL certs are used exclusively on internal servers and machines.
What is the list of trusted Certificate Authorities?
All public CAs are trusted CAs because their root certificates are already included in browsers’ pre-installation packs or root stores. Below is a list of commercial and open-source CAs you can fully trust.
Commercial CAs you can trust
Digicert – a premium certificate authority operating in the high-assurance SSL market. Fortune 500 companies and 97 of the 100 top global banks use DigiCert services to encrypt their websites and devices.
Sectigo (formerly Comodo) – one of the most recognizable names in the SSL industry, offering affordable certificates for every need. Over three million customers use Sectigo products worldwide.
Thawte – the oldest certificate authority with excellent reputation and security solutions in the premium SSL segment. Thawte SSL certificates are a strong indicator of trust and reliability.
GeoTrust – another top-rated CA serving over 100,000 international customers in 150 countries. GeoTrust certificates feature high SSL warranties and dynamic site seals to boost users’ trust.
RapidSSL – a CA that validates domain ownership only. It”s the perfect choice for smaller websites and businesses. RapidSSL employs a fully-automated issuance process that delivers first-rate digital certificates in just five minutes.
Open-source CAs you can trust
Let’s Encrypt – the largest open-source CA offering free Domain Validation SSL certificates suitable for personal sites, blogs, and informational platforms. Let’s Encrypt certificates come with limitations, and may not be compatible with some servers or email clients.
What is the best Certificate Authority?
The best certificate authority is the one that works better for your particular budget and project. Both a cheap and an expensive car will get you from A to B. The same principle applies to CAs
All SSL certificates follow the same cryptographic protocol and provide identical encryption strength. So whether you use a seven-dollar certificate, or a premium one, browsers will trust it the same way. What differentiates CAs is their brand image, validation level, extra features, and market segment.
In 2023, the SSL market share, according to W3 Techs surveys paints the following picture:
- IdenTrust – 54.3%
- Digicert Group – 15.7%
- Sectigo – 14.3%
- Let’s Encrypt – 6.3%
- GoDaddy Group – 5.7%
- GlobalSign – 3.7%
- Certum – 0.7%.
Now you may wonder, who is IdenTrust, and why haven’t we mentioned them so far? By itself, IdenTrust is a CA that provides digital certificates to financial institutions, healthcare providers, government agencies, and enterprises.
In 2015, IdenTrust cross-signed the intermediate certificates of Let’s Encrypt, which allowed Let’s Encrypt CA to be trusted in all major browsers.
If we exclude the open-source CAs and focus only on the commercial CA market share, Digicert and Sectigo are the most popular certificate authorities worldwide.
What is the cheapest Certificate Authority?
Sectigo (formerly Comodo) is the cheapest certificate authority on the market, with prices starting from just $7 per year for an entry-level Domain Validation certificate. Sectigo is synonymous with affordable SSL.
They even have an exclusive range called Positive SSL that features budget-friendly certificates for every need. Whether you need to secure a small business website or a premium multi-site network, Sectigo is the answer.
What is the list of untrusted Certificate Authorities?
You can find many lists with trusted CAs for different browsers and operating systems, but what about untrusted Certificate Authorities? Untrusted CAs don’t exist anymore and are relevant only for case studies and educational purposes.
It’s almost impossible for a CA to get compromised, and come back from a significant security breach. Below we present a few examples of what happens when CAs encounter serious security incidents.
Fifteen years after the first CAs entered the market, the security and certificate issuance procedures still had critical loopholes, ruthlessly exposed by cyber-attackers. The biggest wake-up call to the industry came in 2011 when an unknown attacker obtained full administrative access to DigiNotar’s essential CA systems.
The Dutch Certificate Authority issued a rogue wildcard certificate for Google.com, compromising over 300,000 Iranian Gmail users who were victims of man-in-the-middle attacks. All the major browsers quickly distrusted DigiNotar, and it filed for voluntary bankruptcy.
The end of Symantec CA
While DigiNotar was a relatively small fish in the market, what happened to Symantec a few years later put the CA industry under increased pressure and scrutiny. In 2015, Google discovered that Symantec issued on purpose over 100 test certificates for 76 different domains without the authorization of the domain owners.
At first, Google required Symantec to employ new preventive measures and undergo a third-party security audit, but later all major browsers distrusted Symantec due to continuous wrongdoing.
The Symantec debacle could have shuttered the SSL ecosystem because the largest CA at that time issued one-third of all digital certificates on the Web. With millions of certificates affected, and Google’s 2018 distrust deadline looming fast, Symantec agreed to sell its entire digital certificate business to its main competitor DigiCert.
By October 2018, DigiCert had revalidated over 500,000 business identities and replaced over 5 million affected certificates.
Can you create your own Certificate Authority?
Anyone can create a CA and issue self-signed certificates for their organization or custom servers. With tools such as Microsoft CA or OpenSSL utility, you can set up a private certificate authority relatively quickly. Here are the general steps for establishing your own CA:
- Create the directories and configuration files for the CA.
- Generate the private key and root certificate.
- Add the root certificate as a trusted certificate on your network.
- Configure Microsoft CA or OpenSSL to use the server’s private key and certificate to sign certificate requests.
- Generate an SSL Certificate Signing Request (CSR).
- Create self-signed certificates for your needs.
Of course, browsers and apps won’t trust your private CA, but it could be useful for securing intranet networks and testing purposes.
Frequently Asked Questions
1. Are certificate authorities free?
Private CAs are free, but their certificates are self-signed and not suitable for the Internet. On the other hand, Public CAs can be both free and commercial. Browsers and operating systems will trust a free or commercial digital certificate if it’s signed by a public CA.
2. How does a certificate authority verify identity?
Depending on the SSL validation level, the CA will run a series of checks to establish identity. For Domain Validation certificates, verifying domain ownership is an automated process that requires the applicant to follow pre-established steps.
If you request Business or Extended Validation SSL, the CA will use public databases to confirm your company’s identity. If it fails to do so, the CA will ask you to submit additional paperwork.
3. How to choose a certificate authority?
Ensure that the CA is trustworthy and valid. All commercial CAs offer reliable digital certificates with SSL warranties in the unlikely event of a data breach or fraudulent issuance. Next, determine your website needs and budget before getting a digital certificate. A tool like SSL Wizard can help you choose the perfect certificate for your project.
Certificate Authorities are the guardians of web encryption. Through advanced technology and strict guidelines, they operate and safeguard the SSL issuing process so that we, users, can safely browse and share sensitive data with online stores, banks, and subscription services.
This extensive guide has not only explained what is a certificate authority but also ventured deeper into different types of CAs and their purpose. Hopefully, you’re now better equipped to discern a public CA from a private one and choose the best one that fits your needs.
Image by macrovector on Freepik