A certificate authority (CA) is a trusted organization that issues digital certificates for websites and other entities. CAs validate a website domain and, depending on the type of certificate, the ownership of the website, and then issue TLS/SSL certificates that are trusted by web browsers like Chrome, Safari and Firefox. Thus, CAs help keep the internet a safer place by verifying websites and other entities to enable more trust in online communications and transactions.

What is a CA's role?

Every time you visit a website with HTTPS or see the little padlock in the URL bar, you are using a site that has been verified by a CA. Additionally, anytime you visit a site that says “not secure,” you know that a site has not been validated by a CA or their validation has expired.

Any website that wants to display the secure padlock and enable HTTPS needs to get a TLS/SSL certificate from a CA. Before issuing a certificate, the CA will verify the certificate requester’s information, like site ownership, name, location and more. CAs must adhere to stringent industry standards to ensure that every CA follows similar requirements for validation. The CA/Browser Forum, made up of major browsers and CAs, sets the standards for TLS encryption and digital certificates.

Why do we need certificate authorities?

Without certificate authorities, shopping, banking or browsing online would be less secure. Data entered into a webform would not be secured and it could potentially be captured by a hacker who is “sniffing” the data between the browser and the server. However, CAs validate organizations and individuals to help ensure that only legitimate websites get a TLS certificate. There are over 100 different certificate authorities around the world that validate businesses and sites across the globe.

Notably, imposters may still attempt to take advantage of certificates, so web users should still be familiar with site trust indicators, including site seals, to know if a website is secure. Additionally, you can check for identifying information about the certificate owner, like organizational name, location and more, included in higher-assurance digital certificates.

Three main types of TLS certificates

There are three different types of TLS certificates that CAs issue: domain validation (DV), organization validation (OV) and extended validation (EV). CAs validate each type of certificate to a different level of user trust, with EV being the highest level of assurance available. The difference between OV and EV is that a CA takes additional steps to validate the certificate requester, giving end users even more confidence that a website is legitimate.

• DV — Ownership of Domain Validated certificates is confirmed by having the applicant prove control of the domain. However, DV certificates do not offer identifying organizational information, so they are not recommended for commercial purposes.
• OV — Organization Validated certificates are authenticated by the CA against business registry databases hosted by governments. CAs may require certain documents and contact personnel to ensure that OV certificates contain legitimate business information. This is the standard type of certificate required on a commercial or public-facing website.
• EV — Extended Validation certificates offer the highest level of authentication to safeguard brands and protect users. They are used by the world’s leading organizations, including over half of the top 400 ecommerce sites, according to 2019 data from Comscore and Netcraft.

Read more about how to choose the right type of certificate for your site in another blog post.

Types of certificates that CAs issue

While CAs focus mainly on TLS certificates, they also issue a variety of digital certificates, including:

• Code signing certificates — Used to sign software releases and validate software from the vendor or developer.
• Email certificates — Using the S/MIME protocol, emails can be protected and validated, proving authorship and preventing tampering.
• Document signing certificates — Sign legally-binding documents in Adobe, Microsoft and other programs to ensure they are unaltered and trusted.
• Device certificates — Can secure Internet of Things (IoT) devices.
• User or client certificates — Used to authenticate individuals.

How do I get a CA certificate?

To get a certificate from CAs like DigiCert, you’ll need to fill out a Certificate Signing Request (CSR) and complete an order form. The process is the same regardless of the type of TLS certificate you order; however, you will need to provide additional fields of information for OV and EV certificates. DigiCert can complete your validation within less than a day, to get you a TLS certificate within hours, not days.

Keep in mind that all publicly-trusted TLS/SSL certificates are valid for a maximum period of one year (398 days) and you will need to revalidate each year.

How to choose a certificate authority

When choosing a certificate authority, you should understand several considerations like trust, customer service, brand recognition, cost and available tools. Choosing a CA that you can trust is vital, because your digital products and services and your end-user’s security is reliant upon the technology your CA provides. Trusted CAs submit to regular audits by independent parties, follow industry guidelines and maintain best practices to secure their infrastructure. Additionally, many CAs are heavily involved in industry groups and developing industry standards, and are thought leaders in their space, providing you with the resources you need. Not every CA has 24/7 customer support to help you one on one, either. Finally, certain platforms have a list of trusted certificate authorities for you to use.

Read more on how to choose the right certificate authority in another blog post.

Where to buy TLS/SSL

You can purchase a TLS/SSL certificate from any trusted certificate authority. However, since you’re here, you should know that DigiCert is one of the best options to purchase TLS/SSL certificates.

As one of the largest CAs worldwide, DigiCert has almost two decades of experience delivering trusted solutions to millions of users and devices worldwide, and we currently have over 22 million active TLS certificates. The majority of the Fortune 500 and many Global 2000 companies rely on DigiCert. We take this responsibility seriously, and take several measures to ensure the integrity of our certificates, including completing over two dozen audits annually. We also offer 24/7, five-star customer support and are innovating solutions to make certificate management easier. DigiCert is an active and leading participant in the CA/B Forum and is developing tools to help organizations remain complaint with even the most stringent global standards. Plus, DigiCert offers digital certificates for every security need.

Learn more about one of the largest CAs at www.digicert.com or purchase a TLS certificate today.

Discover why PKI is the logical extension of your TLS/SSL initiatives in our PKI eBook.