FAQ Hero

Public trust: how public CAs and TLS certificates work

Public CAs, roots, and browser trust

Public trust is the model by which browsers and operating systems accept certificates: a certificate is trusted when it chains to a root in the platform’s trust store and the issuing CA follows audit-backed practices and policies. Maintaining public trust requires rigorous operational controls, frequent audits, CT logging, correct cryptography, and rapid response to browser policy updates — all to prevent warnings that damage customer trust and cause outages. Public CAs must balance security, transparency, and customer usability; organizations relying on public certificates need centralized management, monitoring, and CT-compliant issuance to stay trusted across platforms. DigiCert’s public CA and CertCentral portal  integrate public-trusted issuance, CT logging, and foundational management capabilities to keep public certificates compliant and reliable.

What is public trust? 
Public trust describes the acceptance of certificates by browsers and OSs because the issuing CA and roots met audit and policy requirements.

Why do certificates sometimes trigger browser warnings? 
Warnings happen when certificates don’t chain to a trusted root, are expired, or violate browser policies.

Does DigiCert operate a public CA? 
Yes — DigiCert runs public CA services and integrates issuance with CT logging and management through CertCentral.

How do I ensure my public certificates are trusted? 
Use a trusted public CA, enable CT logging, follow cryptographic best practices, and monitor cert inventory for expirations.

  • DigiCert Logo

    The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.