What is a Certificate Authority?
Simply put, a certificate authority is an entity that issues digital certificates. Certificate authorities play a pivotal role in cybersecurity. The digital certificates they issue are a way for you to prove that your website is legitimate and not operated by hackers or other bad actors. If certificate authorities didn’t exist, it would be unsafe to shop, bank, or transmit other sensitive information over the internet. The “s” in the https prefix stands for secure, so you know the owner of the website has been verified by a certificate authority.
Public Vs. Private Certificate Authorities
Although they perform similar functions, there are key differences between public and private certificate authorities.
- Private certificate authorities are specific to an enterprise and issue certificates for internal purposes and use cases such as private networks and VPNs, user authentication, and code signing.
- Public certificate authorities are entities that are trusted by browsers to provide security—via verification and encryption—for users when interacting with public-facing websites and services.
How Does a Certificate Authority Gain Trust?
Public certificate authorities are vetted entities that must meet established baseline requirements put forth by the CA/Browser Forum. Certificate authorities and internet browsers worked together to develop stricter and more uniform standards for the management of certificate authorities and issuance of TLS/SSL certificates. Baseline Requirements 1.0 went into effect on July 1, 2012.
SSL Certificates and PKI
In addition to the “s” in https, when you go to a website and see a padlock in the top bar of your browser, the technology that’s enabling that is an SSL certificate. This certificate has been issued by a publicly trusted certificate authority, which is based on PKI. Deploying TLS/SSL certificates is key to protecting your organization, prospects, and customers from cyberattacks related to website transactions.
Types of TLS/SSL Certificates
Every online interaction needs to be protected from malicious attacks. TSL/SSL certificates are the foundation for privacy, protection, and brand integrity in the digital realm. Most certificate authorities offer a range of certificate types depending on desired assurance levels, compliance requirements, and the number of domains being secured.
- Extended validation (EV) SSL certificates provide the highest assurance security, and the verification process is the most rigorous. When deployed on a website, a padlock icon, the organization’s name, and the HTTPS designation become visible to visitors. This type of certificate is generally used for web applications that require identity assurance for collecting data, processing logins, or conducting online payments.
- Organization validation (OV) SSL certificates provide identity assurance and encryption and are best suited for encrypting user information during transactions. Most consumer-facing websites are legally required to deploy OV SSL certificates to ensure information communicated during a session remains confidential.
- Domain validation (DV) SSL certificates have fewer identity verification requirements than EV or OV certificates, only proving domain control. They’re often used for low-risk applications, such as blogs, user communities, or informational sites. This makes DV certificates less expensive and easier to obtain.
- Wildcard SSL certificates are verified to the organization validation level and are a cost-effective solution for securing a base domain and any number of affiliated subdomains. In addition to lower costs (than buying multiple individual certificates), they offer greater simplicity because users don’t have to submit multiple certificate signing requests (CSRs) or manage the expiration dates for multiple TLS/SSL certificates across multiple URLs.
- Unified communications (UC) SSL certificates are verified either to the extended validation or organization validation levels. An efficient way to consolidate multiple certificates is by leveraging Subject Alternative Names (SANs) for cost savings. UC SSL certificates establish trusted identities and eliminate browser notifications that warn visitors against entering your site.
Why TLS/SSL Certificates are Critical
Having trusted TLS/SSL certificates from a reputable certification authority is extremely important for a variety of reasons.
- Increasing compliance requirements. The General Data Protection Regulation (GDPR) implemented in Europe is being adopted throughout the world. Organizations in violation of GDPR standards face hefty fines or revenue loss.
- Loss of search engine visibility. Search engines are cracking down on websites that pose security threats by implanting negative security indicators and removing sites from search engine results.
- Heightened data security. It’s critical to protect passwords, credit card numbers, financial transactions, and other high-value data.
- Emphasis on trusted identity. The certificate authority verifies the identity of organizations, confirms the organization has control over its domains, and ensures the requestor of the certificate is employed by the organization.
The Need for Certificate Management
For organizations that have a growing number of certificates, certificate management can be challenging. Certificate lifecycle management tools become necessary to have complete visibility into your certificate inventories. Look for management solutions that provide a broad set of integrations to ensure your trust environment matches your business needs. Digital certificates should align with all your needs including traditional use cases and modern use cases such as the Internet of Things (IoT) and DevOps. You also will want professional services expertise to solve complex problems and a customer support team that is available 24/7, 365 days a year if you need help.
The Connection Between Certificate Authorities and PKI
Whether for public or private trust, certificate authorities are a critical piece of the broader PKI (public key infrastructure) ecosystem. PKI is the cornerstone of IT security and is used to establish trust and secure interactions between people, systems, and things. This is best done via the digital certificates that are issued by a certificate authority for signing, authentication, or encryption — or all three.
Web of Trust Vs. Certificate Authority
Web of trust is a decentralized model for encryption and serves as an alternative to PKI. Instead of relying on a certificate authority, web of trust relies on a series of signatures from disparate sources to establish legitimacy and bind the public encryption key to its owner. The web of trust concept was introduced by Phil Zimmermann in 1992 in his manual for PGP (pretty good privacy) version 2.0. By contrast, a certificate authority relies on trusted third-party entities that must meet stringent requirements and are audited annually.