The Role of Certificate Authorities on the Web
Every time you see a padlock icon in your browser, a Certificate Authority (CA) is working quietly in the background to make that connection trustworthy. Without CAs, there would be no reliable way for your browser to know whether the server it's talking to is actually who it claims to be. Understanding how CAs work is foundational to understanding web security.
What Is a Certificate Authority?
A Certificate Authority is a trusted organization that issues digital certificates. These certificates serve two purposes:
- Authentication — They verify that a domain, organization, or individual is who they claim to be.
- Encryption enablement — They provide the public key needed to establish an encrypted connection.
Major public CAs include DigiCert, Sectigo, GlobalSign, Entrust, and the free, automated Let's Encrypt. Browsers and operating systems come pre-loaded with a list of trusted root CAs — this is what makes the whole system work.
How the Certificate Trust Chain Works
The trust model is hierarchical, often called the chain of trust:
- Root CA — At the top sits the root certificate, stored in a highly secure, often offline environment. Root certificates are self-signed and pre-installed in browsers and OS trust stores.
- Intermediate CA — Root CAs sign intermediate CA certificates. Intermediates are the ones that actually issue certificates to websites. This protects the root — if an intermediate is compromised, it can be revoked without touching the root.
- End-Entity (Leaf) Certificate — This is the certificate installed on your web server. It's issued by an intermediate CA and links your domain to a public key.
When your browser visits a site, it walks up this chain — from the site's certificate to the intermediate, to the root — verifying each signature along the way. If the chain is complete and leads to a trusted root, the connection is marked as secure.
Types of Validation Offered by CAs
CAs offer different levels of identity verification:
| Type | What's Verified | Typical Use Case |
|---|---|---|
| Domain Validation (DV) | Domain ownership only | Blogs, personal sites |
| Organization Validation (OV) | Domain + organization identity | Business websites |
| Extended Validation (EV) | Thorough org verification | Banks, large e-commerce |
How CAs Verify Your Identity
For DV certificates, the CA verifies domain ownership using one of three methods:
- Email validation (to a standard address like admin@ or webmaster@)
- DNS record — adding a specific TXT record to your domain's DNS
- HTTP file — placing a specific file on your web server
For OV and EV, the CA also checks business registration documents, phone verification, and other public records.
What Happens When a CA Is Compromised?
History has shown that CAs can be compromised — the DigiNotar breach in 2011 is a sobering example. When a CA misbehaves or is hacked, browsers can:
- Revoke trust in that CA's root certificate, making all certificates it issued untrusted.
- Use Certificate Transparency (CT) logs — public, append-only logs of all issued certificates — to detect misissued certs.
- Rely on Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP) to check if a specific cert has been revoked.
The Importance of Choosing a Reputable CA
For most website owners, the choice of CA matters less than ensuring the certificate is properly configured. However, for enterprise environments or high-value targets, choosing an established CA with strong audit trails, compliance certifications (like WebTrust), and responsive revocation processes is worth the consideration.