Home/ Glossary/ Certificate Authority

Certificate Authority (CA)

Security Glossary - SSL/TLS

Definition: A Certificate Authority is a trusted organization that issues digital certificates. The CA verifies the identity of a certificate applicant (at minimum, that they control the domain) and digitally signs the certificate, allowing browsers to trust the connection. Major CAs include Let's Encrypt, DigiCert, Sectigo, and GlobalSign.

Why You Should Care About CA

Certificate Authorities are the trust anchors of the web's public key infrastructure. When your browser connects to an HTTPS site, it checks whether the site's certificate was signed by a CA that the browser trusts. If the certificate was self-signed or issued by an untrusted CA, the browser displays a security warning.

The choice of CA matters for reliability and compatibility. A certificate from an unrecognized or distrusted CA will cause connection failures. In recent years, several CAs have been distrusted by browser vendors due to security incidents - Symantec's CA business was effectively shut down by Google Chrome after repeated misissuance. This means choosing a reputable CA with a strong security track record is important.

For most websites, Let's Encrypt is the best choice because it provides free, automatically renewable Domain Validation certificates. For organizations that need Extended Validation or Organization Validation certificates, paid CAs like DigiCert offer those services with additional identity verification.

How to Test for CA

An SSL checker will show which CA issued your certificate. Verify that your CA is widely trusted by checking that no browser warnings appear. If you see certificate warnings on certain devices or browsers, the CA may have compatibility issues or your certificate chain may be incomplete.

Check SSL Certificate

Questions and Answers

Can I create my own Certificate Authority?
You can create a private CA for internal use, but browsers will not trust certificates it signs unless you manually install the root certificate on each device. For public-facing websites, you must use a publicly trusted CA.
What happens when a CA is compromised?
Browser vendors can distrust a CA, causing all certificates it issued to become invalid. This has happened with DigiNotar and Symantec. Certificate Transparency logs help detect misissuance early.

Learn More

SSL/TLS Certificate Let's Encrypt Certificate Chain of Trust Root Certificate Certificate Transparency
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.