Certificate Authorities (CAs) are trusted entities that issue public digital certificates, which confirm the identities of the certificate owners. CAs play a fundamental role in establishing trust and secure communications between browsers and servers, by verifying that the client or organization in question is indeed who they claim to be.
Anyone can become a CA and issue self-signed certificates, but only a select few companies end up signing SSL/TLS certificates for the general public. The universal trust on the Internet doesn’t come for granted; it’s the result of rigorous safety directives and efficient cooperation between the SSL industry’s decision-makers.
Just like web encryption has come a long way since the first draft of the now-defunct SSL protocol, Certificate Authorities have forged their path with ups and downs to attain the reliability of today. This article takes you through the young but eventful history of Certificate Authorities, so let’s get started!
The first Certificate Authorities
It was 1995 when Mark Richard Shuttleworth, a young South African-British entrepreneur, founded Thawte. Originally run from Shuttleworth’s parents’ garage, Thawte became the first Certificate Authority to issue public SSL certs outside of the United States.
In the same year, across the Atlantic, Verisign was established as a spin-off of the RSA Security certification services business. The new company served as a Certificate Authority, and in the following years gained about 50% of the market share. The other half belonged to Thawte. Both Verisign and Thawte had certificates in the first Netscape browsers.
In 1999, Verisign acquired Thawte from Shuttleworth for $575 million. It was the first of many acquisitions of this kind, which would eventually shape the SSL industry as we know it today. The hefty income from the sale allowed Shuttleworth to become the second space tourist, and to found the Ubuntu project.
At the start of the new millennium, Verisign cemented its place as the market leader in issuing public digital certificates, but a serious incident in 2001 cast doubts on the company’s validation procedures.
An attacker pretending to be a Microsoft employee tricked Verisign to issue two unauthorized Code Signing certificates for Microsoft. Worst of all, there was no way to revoke the certificate at that time, because Windows didn’t have CRL (Certification revocation list) in its features. Although Verisign was swift and transparent in dealing with the fraud, the security blunder was the first of many to undermine the SSL industry in the upcoming years.
Certificate Authorities in the 21st century
Around that time, in 2002, a new Certificate Authority came into the spotlight. The now renowned GeoTrust brand was the first CA to issue public domain-validated SSL certificates. Cheaper price and faster validation appealed to many businesses, and as a result, increased GeoTrust’s market share to 26.7% by 2006.
In a bid to differentiate their business validation certificates from those “quick” certs, Verisign launched extensive advertising and PR campaigns. The fierce competition between companies would end in 2006 when Verisign acquired GeoTrust for $125 million.
Away from the SSL price and product wars, another CA was climbing towards the top of the market share. Founded by Melih Abdulhayoğlu in 1998 in the United Kingdom, Comodo Security Solutions relocated to the United States in 2004.
One year later, the Turkish American entrepreneur organized the first meeting of the, CA/Browser Forum. The voluntary consortium of CAs, Internet Browsers, and vendors of operating systems contributed to the adoption of the first Extended Validation guidelines on 7 June 2007. In November 2011, the CAB forum approved version 1.0 of the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates”.
To further promote CAB standards, the Certificate Authority Council (CASC) was formed in February 2013. As of 2014, the CAB included over 40 CAs and 6 Internet browser software vendors.
Major acquisitions and security challenges
The year 2010 recorded the largest acquisition deal in the SSL industry when Verisign sold its entire authentication business unit, which included SSL Certificate, Public Key Infrastructure, Verisign Trust, and Verisign identity Protection authentication services to Symantec (now NortonLifeLock Inc.) for $1.28 billion.
Symantec subsequently rebranded the Verisign Trust seal into the Norton Secured Seal, but it’s questionable handling of certificate validation led to major problems in the upcoming years.
Fifteen years after the first CAs entered the market, the security and certificate issuance procedures had still critical loopholes, ruthlessly exposed by cyber-attackers. The biggest wakeup-call to the industry came in 2011 when an unknown attacker obtained full administrative access to DigiNotar’s essential CA systems.
The Dutch Certificate Authority issued a rogue wildcard certificate for Google.com, compromising over 300,000 Iranian Gmail users who were victims of man-in-the-middle attacks. All the major browsers quickly distrusted DigiNotar, and it filed for voluntary bankruptcy.
Google distrusts Symantec, DigiCert comes to the rescue
While DigiNotar was a relatively small fish in the market, what happened to Symantec a few years later put the CA industry under increased pressure and scrutiny. In 2015, Google discovered that Symantec issued on purpose over 100 test certificates for 76 different domains without the authorization of the domain owners.
At first, Google required Symantec to come up with new preventive measures and undergo a third-party security audit, but later all major browsers distrusted Symantec due to continuous wrongdoing.
The Symantec debacle could have shuttered the SSL ecosystem because the largest CA at that time issued one-third of all TLS/SSL certificates on the web. With millions of certificates affected, and Google’s 2018 distrust deadline looming fast, Symantec agreed to sell its entire SSL certificate business including, brands Verisign, Thawte, GeoTrust, and RapidSSL to its main competitor DigiCert for $950 million.
By October 2018, DigiCert had revalidated over 500,000 business identities and replaced over 5 million affected certificates. With the acquisition of Symantec’s SSL and PKI businesses, DigiCert became the world’s largest high-assurance Certificate Authority.
DigiCert was founded in 2003 by Ken Bretschneider. In 2005 it became the founding member of the CA/Browser forum. In 2007, DigiCert partnered with Microsoft to develop the first multi-domain SSL certificate.
Its first important acquisition was the CyberTrust Enterprise SSL business from Verizon Enterprise Solutions in 2015. The new purchase propelled DigiCert to the second place in the high-assurance or extended validation SSL market, behind Symantec. Two years later, DigiCert bought Symantec’s portfolio of SSL brands and climbed to the top of the BV and EV SSL market.
In 2019 DigiCert expanded its presence in the EU by acquiring QuoVadis, a Swiss trust service provider (TSP) offering qualified digital certificates, PKI services, and PrimoSign electronic signature software.
CAs market share
Today, according to a Netcraft SSL survey, DigiCert has a 60% share in the Extended Validation SSL certificates market and dominates the Business Validation market with 96% of OV certs globally carrying DigiCert signatures. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, use DigiCert’s services to protect customers’ sensitive data. DigiCert’s SSL roots trace back to the original VeriSign root certificates, first added 25 years ago.
Nowadays, DigiCert’s top competitor is Sectigo (formerly Comodo). Comodo CA was acquired by Francisco Partners from Comodo Security Solutions, Inc., and rebranded as to Sectigo in 2018. In a press release, CEO Bill Holtz explained the thinking behind the rebranding:
“This is an exhilarating time for our company. “By rebranding as Sectigo, we are emphasizing our expansion beyond SSL to IoT and web security and announcing our commitment to making the internet more secure, as well as safe – for businesses and consumers alike.”
Before the acquisition and subsequent rebranding, Comodo CA was already one of the most popular Certificate Authorities with more than 3 million customers in over 150 countries. The company’s wide range of products for every SSL need and affordable pricing remain the main ingredients of success.
In 2020, the SSL market share according to W3 Techs surveys paints the following picture: IdenTrust – 51.9%, Digicert Group 19.4%, Sectigo, 17.5%, GoDaddy Group 6.8%, GlobalSign, 2.9%, Certum 0.5%.
IdentTrust and Let’s Encrypt
Now you may wonder, who is IdenTrust, and why haven’t we mentioned them so far? By itself, IdenTrust is a CA that provides digital certificates to financial institutions, healthcare providers, government agencies, and enterprises. Established in 1999, it has a solid reputation and is trusted by all major browsers.
In 2015, IdenTrust cross-signed the intermediate certificates of Let’s Encrypt, which allowed Let’s Encrypt CA to be trusted in all major browsers as well and hit the ground running. In just five years, the open-source, non-profit CA has issued over a billion free DV certificates for over 225 million websites.
Thanks to the IdenTrust, and generous support from the likes of Google, Mozilla, and Facebook, Let’s Encrypt is now the most popular CA in the world. However, it doesn’t offer complex SSL solutions such as business and extended validation, or multi-domain SSL certificates. So when it comes to commercial certificate authorities, DigiCert slightly edges Sectigo in today’s market.
CAs now and in the future
With the arrival of Let’s Encrypt on the SSL stage, traditional CAs have lost a large chunk of potential new customers. While it’s understandable for basic sites and blogs to pick a free certificate over a commercial one, many small businesses and even larger e-commerce shops prefer the hassle-free Let’s Encrypt automation.
Since Google launched the HTTPS Everywhere campaign, online users have become more aware of how web encryption works. When all SSL certificates, regardless of type and price, offer the same level of security, convincing companies to invest in a paid SSL certificate is a challenge that commercial CAs must embrace.
Healthy competition is precisely what drives the innovation forward. Both DigiCert and Sectigo understand the importance of providing actual value to clients. To help businesses manage the SSL certificate lifecycle, the leading CAs have created robust management consoles that streamline and automate the issuance and renewal of PKI (Public Key Infrastructure) at scale. And, with SSL validity capped at just one year starting September 1, users can now order certificates from resellers using multiple-year subscription plans.
What’s next for Extended Validation certificates?
Over a decade has passed since the first Extended Validation certificate hit the market in 2007. The extensive verification of a company’s identity proved a success among e-commerce and financial businesses. Several case studies reported the benefits of EV SSL, including better conversion rates and phishing attacks prevention.
However, Google’s latest removal of the famous EV SSL indicator from the URL bar has raised some concerns about the long-term future of EV certificates. Many voices consider that EV SSL went stale and is in urgent need of an overhaul and new features.
The leading CAs seem to share the same views and have already drafted a few potential EV SSL enhancements with a good chance of passing the CA/B Forum ballot. Here are some of the new suggestions:
- The addition of Legal Entity Identifiers (LEIs) in certificates. LEIs are globally unique registration numbers created under a scheme managed by the Global Legal Entity Identifier Foundation (GLEIF). Included in the certificates, they will further confirm the identities of global companies.
- The creation of a white list of approved data sources to validate EV certificates. Presently, CAs can use whatever authentication source meets the CA/B Forum guidelines.
- Require CAs to verify a registered trademark/wordmark before signing an EV certificate and include trademark and brand information in a certificate (as well as the source of validation).
Another potential EV changes brainstormed by the CAs are signing EV certs to an organization that has been registered for at least six to nine months, and require face-to-face meetings before issuing a legal opinion letter.
Blockchain and Certificate Authorities
In an online world that is heading with rapid steps towards automation, the human factor loses ground to machines and software that can seemingly eliminate all errors. In some FinTech circles, technology such as blockchain is cited to replace the traditional SSL certificates and CAs, and fully automate web encryption. This could work in theory, but in practice, blockchain has still a long way to go until it reaches universal trust.
The CAs have 25 years of experience and progress behind them in verifying the legitimacy of the certificate’s owner. And while blockchain may be able to help with this process, it is trust in the decision-maker that makes the entire system credible.