What is a Certificate Authority? Everything Need to Know About Public & Private CAs

The certificate authority (CA), also known as a certification authority, is one of the most important elements of maintaining security in today’s digital world. 

Specifically, a certificate authority issues digital certificates (think of this like a driver’s license or passport for the digital world) that can then be used to verify the identity of websites, devices, people and more. In doing so, CAs help ensure that everyone and everything online is communicating with exactly who they think they’re communicating with — not an unintentional third party.

How exactly do CAs make all of this work? What are the different types of CAs and how can you start using them? This article will explore everything you need to know about certificate authorities, including: 

  • What is a certificate authority?
  • What’s the difference between public CAs and private CAs?
  • Main third party certificate authorities you should know about
  • Main internal certificate authorities you should know about
What is a certificate authority

What is a Certificate Authority?

A certificate authority plays a critical role in digital security by (1) issuing digital certificates that can verify identities and (2) setting the policies, practices and procedures for vetting recipients of certificates.

Let’s break this down.

Digital certificates are like a driver’s license or passport for the digital world: They contain information about an individual or entity and are used to validate identity. For example, every time you visit a website on a modern browser, there should be a lock in the URL bar to indicate the site is secure. If you click on the lock, it will give more details, including a note that the site’s certificate is valid.

What is a certificate authority - SSL Certificate

You can even click within that for full certificate details to see the parameters included in the site’s certificate (certificate usages, certificate recipient, issuing CA, issue and expiration dates and digital fingerprints) and to vet the information for yourself.

What is a certificate authority - Certificate viewer

In contrast, if the site does not have a valid certificate, it will show a warning that the connection is not private, including a note that the certificate is not trusted. Think of this like trying to use a fake ID and getting caught in the act.

What is a certificate authority - Connection Unsafe

This website example is known as a SSL/TLS certificate, or the type of certificate that governs the web browsing experience. It’s just one of many types of digital certificates that CAs can issue for various recipients and purposes.

Regardless of the purpose, verifying identities (human and machine) based on certificates remains the same. In order for this system to work, it’s important that all certificates be issued from a trusted party, be tamper-resistant, and contain information to prove authenticity. That’s where the CA comes into the equation.

Certificate authorities are responsible for issuing these digital certificates, and the owners of each CA can determine overall security procedures, such as how they will vet certificate recipients, what parameters they will include in their certificates and even the types of certificates they’ll issue (notably, the purpose of a certificate can impact the severity of the recipient vetting process). Each CA must formally document all of these policies, that way others can determine whether or not they want to trust a specific certificate authority.

Finally, each certificate authority must maintain a Certificate Revocation List (CRL). The CRL allows certificate authorities to revoke certificates for any number of reasons (such as if the certificate has been compromised) so that users know not to trust those certificates anymore. CAs must pay particularly close attention to keeping their CRL up to date and making sure the CRL doesn’t expire (as it does have a set lifespan), because if the CRL expires then every certificate issued by the CA becomes invalid.

Inside Look: How Certificate Authorities Work

Certificate authorities use asymmetric encryption to issue certificates. Asymmetric encryption creates a pair of cryptographic keys — one public and one private. The public key can be known to anyone and is used to encrypt a message and to verify identity-based on the corresponding private key. The private key should only be known to the certificate holder and is used to decrypt messages encrypted with the corresponding public key. The certificate holder can also use it for identity verification, such as for a digital signature or instead of entering a password.

How CAs Work

Once a CA determines its security policies and vetting procedures, it can use asymmetric encryption to actually issue a certificate. First, the CA will compute a key pair and request information from the intended recipient to vet their credentials. Assuming the credentials check out, the CA will encode the public key and any identifying attributes into a Certificate Signing Request (CSR). 

The private key owner (aka certificate holder) and the CA then sign the CSR to verify possession of the key and validate the entire transaction. Finally, the public portion of that certificate then becomes available for anyone to access so they can verify ownership and determine if they trust the issuing certificate authority. 

How Certificate Authorities Work

An Important Note on Trust: Understanding CA Hierarchies

One critical element that underpins the entire concept of certificate authorities is the CA hierarchy. Essentially, this means there are CAs that exist to verify the identity of and issue certificates to another certificate authority. But this is not a never-ending chain, and there is ultimately a root CA.

Two-tier and three-tier CA hierarchies are the most common, as more layers can lead to more complexity. A two-tier CA hierarchy includes a root CA and issuing CAs, while a three-tier CA hierarchy includes a root CA, policy CAs and issuing CAs.

What’s unique about the root certificate authority is that its certificate is self-signed. This means rather than having one party (the certificate authority) issue and sign the certificate for a separate recipient, the root CA issues and signs the certificate for itself. As a result, root CAs are subject to especially strict security measures and remain offline 99.9% of the time. If a breach does occur on a root CA, it can be particularly devastating because it invalidates all certificate authorities and the certificates they’ve issued that tie back to the root CA.

Understanding CA Hierarchies

Is your PKI too complex? Try Cloud PKI as-a-Service.

What’s the Difference Between Public CAs and Private CAs?

Importantly, there is not just one type of certificate authority. We now have what’s known as public certificate authorities and private certificate authorities.

Both of these types of CAs play an important role in digital security, and while the way they function is ultimately the same, they are actually quite different — and most organizations will typically need to use both.

What is a Public Certificate Authority?

A public certificate authority is a third party that issues certificates to other organizations. Public CAs have no connection whatsoever to the recipients of their certificates and the certificates they issue are generally accepted as trusted across the internet.

The major reason for this trust is that public CAs must follow regulatory standards outlined by the CA/Browser Forum (CA/B Forum). The CA/B Forum was established in 2005 and its members include CAs as well as certificate consumers like Apple, Google, and Microsoft.

Currently, the CA/B Forum has a set of baseline requirements (which do get updated over time) that any certificate authority must meet in order to issue digital certificates that will be publicly trusted by web browsers. Part of these requirements includes the extent to which a public CA vets certificate recipients.

While following these requirements is the number one prerequisite for public CAs to achieve the necessary level of trust to issue widely accepted certificates, it is ultimately up to each certificate consumer (e.g. Apple for its devices and Safari web browser) which CAs and which certificates from those CAs should be trusted.

Organizations will obtain certificates from a public CA for any outward-facing use cases, such as a public website or a component of software that integrates with solutions from other companies or will be used by end customers.

What is a Private Certificate Authority?

A private certificate authority exists within the confines of an organization with the purpose of providing security for that organization. As a result, private CAs are internal to the organization itself and are therefore only trusted within that organization and can not be used for any external purposes.

This situation makes the use case for a private CA very different from the use case for a public CA. While an organization must obtain a certificate from a public CA to verify the authenticity of its external website, that same organization might use a private CA to secure internal resources, like a company intranet, inter-company communications, file sharing, access levels, and so on. 

For instance, a company that requires users to authenticate themselves to log onto company-owned devices (everything from individual laptops to shared office computers or printers) can use a private CA to issue each person a certificate. Individuals can then use this certificate for authentication rather than having to enter a password each time. In this case, using certificates issued from a private CA is much more secure than using passwords, which are often weak (and therefore easy to hack) and lack any kind of central control by a security team.

Overall, using a private CA has become especially critical to maintaining security as workforces become more mobile and more connected devices come into play. That’s because using digital certificates for authentication gives organizations more granular control over access levels, allows security teams to set certain standards that get applied across the entire organization, and centralizes management to provide more visibility into security across the board.

Another notable difference between a public CA and a private CA is that because a public CA is a third party, organizations can pick a CA and request certificates without having to worry about the security details of how those certificates are issued or maintained — all of that falls on the third-party certificate authority. Traditionally, organizations that want to stand up a private CA do need to think through the security implications and procedures since they own that certificate authority. 

However, organizations can now work with third parties that will set up and host a private CA for them, which eases many challenges associated with standing up a private CA while maintaining the security benefits of doing so.

Main Third Party, Public Certificate Authorities You Should Know About

Hundreds of public CAs exist globally; however, many of these third parties are smaller, regional players. Looking more closely at the public CA landscape, there are 14 third-party certificate authorities that are most widely accepted — with the top five dominating 97.8% of the entire market. 

Let’s take a look at each of these public CAs.

1) IdenTrust (52.7% market share)

IdenTrust provides digital certificates for government, healthcare, financial and enterprise organizations. It issues certificates for SSL/TLS, email security (via S/MIME), digital signatures, code signings and network and IoT device protection (x.509 certificates). IdenTrust uses the only bank-developed identity authentication system in the world, covering more than 175 countries and supporting over 18 billion validations per year at an uptime of 99.9% or higher for validations and issuance.

2) DigiCert (19.3% market share)

DigiCert issues certificates for SSL/TLS, document signing, code signing, email security (via S/MIME), post-quantum and more. It also offers an enterprise PKI manager. DigiCert was a founding member of the CA/B Forum and works with a variety of organizations, including banks, ecommerce retailers, healthcare providers, manufacturers and technology companies.

3) Sectigo (16.8% market share)

Sectigo works with organizations of all types and sizes, including over 36% of Fortune 1000 companies. It issues certificates for SSL/TLS, DevOps, IoT, multi-layered web security, and enterprise PKI. In its lifetime, Sectigo has issued over 100 million digital certificates, with over 12 million certificates currently active.

4) GoDaddy (6.4% market share)

GoDaddy issues SSL certificates. It also offers a variety of services outside of security, like obtaining and selling domain names and building websites. GoDaddy operates in over 50 countries, was a founding member of the CA/B Forum and has won Online Trust Honor Roll and WebTrust awards.

5) GlobalSign (2.6% market share)

GlobalSign issues certificates for SSL/TLS, digital signatures, email security, code signing, authentication and mobile. Established as a public CA in 1996, GlobalSign works with large enterprises and has issued 2.5 million SSL certificates worldwide and 5 million digital identities for websites and machines, with 25 million certificates relying on the company’s trusted root.

6) Let’s Encrypt (1.8% market share)

Let’s Encrypt is a free, automated, and open certificate authority that issues SSL/TLS certificates. The non-profit organization is part of the Linux Foundation and provides certificates to 260 million websites, issuing around 2.5 million certificates each day.

7) Certum (0.5% market share)

Certum issues certificates for SSL/TLS, digital signatures, code signing and email security. It has over 20 years of experience and is a Microsoft trusted CA. To date, Certum has issued over 10 million certificates across 50 countries.

8) Secom (0.2% market share)

Secom was founded in 1962, originally offering security services such as guards and patrolling. It has since evolved, maintaining a strong reputation for security through a variety of services, including acting as a public CA by issuing certificates for SSL/TLS. Secom is also a member of the CA/B Forum.

9) Entrust (0.2% market share)

Entrust issues certificates for SSL/TLS, qualified electronic seals and digital signatures, in addition to offering managed PKI services. The company issues over 10 million credentials daily and is a member of the CA/B Forum.

10) Actalis (0.1% market share)

Actalis issues certificates for SSL, code signing and email security (via S/MIME) and is the only Italian member of the CA/B Forum. The company has issued over 480,000 active SSL certificates and over 310,000 active signature certificates.

11) E-Tugra (0.1% market share)

E-Tugra issues certificates for SSL and digital signatures. The company has generated over 3 million certificates and is the only CA in Turkey whose certificates are considered safe in both desktop and mobile.

12) WISeKey Group (0.1% market share)

WISeKey Group offers a root of trust, enterprise PKI and SSL certificates. The company is accredited by WebTrust.

13) Deutsche Telekom (0.1% market share)

Deutsche Telekom is a Germany-based telecommunications provider that offers a root certificate authority.

14) Network Solutions (0.1% market share)

Network Solutions issues SSL certificates, trusted site seals and other website security solutions on top of a variety of website hosting and online marketing services. The company is accredited by WebTrust.

Main Internal, Private Certificate Authorities You Should Know About

A variety of internal certificate authorities exist to help organizations stand up their own PKI programs. These private CAs offer a variety of different services and work with organizations to varying degrees. Here’s a look at the top 19 private CAs with open-source models that exist today.

1) PrimeKey EJBCA

PrimeKey EJBCA is an enterprise-grade open source CA and one of the longest-running CA software projects. It offers certificate management, certificate registration and enrollment and certificate validation, with support for SSL/TLS, smart card logon to Windows and/or Linux, signing and encrypting email (S/MIME), mobile PKI, secure mobile networks and more.

2) Let’s Encrypt Boulder

Let’s Encrypt Boulder is an ACME-based certificate authority, which means the CA can automatically verify certificate applicants. It also allows domain holders to easily issue and revoke certificates for their domains and uses a Dockerfile for all installation and dependency needs.

3) OpenCA PKI Development Project

OpenCA PKI Development Project is a collaborative effort to create an open source certificate authority that is full-featured out-of-the-box and relies on the most-used protocols for full-strength cryptography worldwide. The project focuses on (1) studying and refining the security scheme to guarantee it uses the best model and (2) developing software to make it easy to set up and manage a CA out-of-the-box.

4) mkcert

mkcert makes it easy to create locally-trusted development certificates without any configuration. It automatically creates and installs a local CA in a user’s system root store, creating locally-trusted certificates for development projects. This avoids the complexities of going through a real CA, eliminates the trust issues created by using self-signed certificates and simplifies the typically complex process of users managing their own CA.

5) Dogtag Certificate System

Dogtag Certificate System is an enterprise-grade open source CA that supports certificate lifecycle management (including key archival, smartcard management and OCSP), certificate issuance, revocation, retrieval, and CRL generation and publishing.

6) EasyCert

EasyCert makes it easy to generate web server TLS certificates self-signed by a private CA, which is also owned and managed by the same tool. This approach allows organizations to easily introduce their own TLS connections for testing to ensure that everything works correctly across HTTPS connections.

7) Smallstep

Smallstep is an online certificate authority that offers certificate signing and management features, including issuing, renewing and revoking certificates. The Smallstep CA can be used at any point in a CA hierarchy — as a root CA, policy CA or issuing CA. Smallstep also offers products for certificate management and SSH keys.

8) cert-manage

cert-manage is a cross-platform certificate management tool designed to give users easier control of their trusted x509 certificate stores on their systems and applications. Today, every device connected to the internet has “certificate stores” that contain trusted certificates that are important to digital communications.

However, these stores don’t provide granular management or any protection against misuse by users. cert-manage offers that detailed management and protection.

9) django-x509

django-x509 is an OpenWISP tool designed to provide a simple and reusable model for x509 PKI management within the django app. It offers capabilities for CA generation, end entity certificate generation, certificate revocation as well as the ability to specify x509 extensions on individual certificates.

10) ssh-inscribe

ssh-inscribe is an Alpha-phase software that helps users manage secure access to their organization’s SSH hosts through SSH user certificates. Specifically, it allows users to authenticate against the server using specified credentials and, once the user is confirmed as known, the tool can generate certificates with specific options

11) pki - Certificate Authority Management Suite

pki – Certificate Authority Management Suite uses OpenSSL to allow users to generate a root CA, create intermediary CAs (such as those for TLS, code signing and email certificates) and sign and issue web server certificates for their own domains.

12) SelfSigned-Cert-Creator

SelfSigned-Cert-Creator makes it easy to create a trusted self-signed certificate for SSL/TLS. It simplifies the complexities of doing this on your own and lowers the cost compared to going through a third party provider.

13) xca

xca is designed to create and manage x509 certificates, certificate requests, smartcards, CRLs and private keys based on the RSA, DSA and EC algorithms. It also allows users to create templates for issuing similar certificates and to convert existing certificates or requests into those templates.

14) SSL Certificate Chain Resolver

SSL Certificate Chain Resolver helps ensure a complete train of trust within CA hierarchies on devices, especially mobile. This solution helps prevent the issue in which some clients (typically mobile devices) don’t recognize an intermediary CA within the CA hierarchy and therefore falsely report an insecure connection.

15) Trust Stores Observatory

Trust Stores Observatory monitors the contents of all major platforms’ (Apple, Google, Microsoft, Mozilla, Oracle, OpenJDK) root certificate stores to check for any changes. This makes it easy to download the most up-to-date root certificate stores and keep track of changes over time.

16) pki - Bootstrapping PKI with Yubikeys

pki – Bootstrapping PKI with Yubikeys offers helper scripts to build and manage internal CAs with Yubikey devices. Specifically, it stores CA information in Github and uses a set of helper utilities to support the creation of root certificates and CSRs, as well as the ability to load certificates and keys on Yubikey devices.

At that point, organizations can use the Yubikeys to sign CSRs to create certificates.

17) Azure Active Directory Hybrid ADFS Lab

Azure Active Directory Hybrid ADFS Lab is a Microsoft open source project that deploys a virtual network with three subnets and a public IP address for each node. The tool can assign CA roles within these subnets, generate certificates, and connect to Azure Active Directory.

18) OpenSSL Certificate Authority Guide

OpenSSL Certificate Authority Guide explains how organizations can act as their own CA using the OpenSSL command-line tools. This allows organizations to issue server certificates for a variety of instances, including securing a company intranet or allowing internal users to authenticate to a server.

19) certstrap

certstrap is a simple certificate manager that allows organizations to bootstrap their own certificate authority and PKI. Built using Go, certstrap enables users to establish a CA, create identities and CSRs and sign and generate certificates.

Conclusion

Answering the question of “what is a certificate authority?” is clearly not simple — but it’s extremely important. That’s because the certificate authority is such an essential component of digital security. And with a variety of public CAs and private CAs, there are a lot of nuances in the role that a CA can play when it comes to establishing and verifying secure connections.

Ultimately, if you can understand the purpose of a certificate authority (to serve as a trusted body that issues digital certificates to authenticate communications), how a certificate authority works and the various roles that public CAs and private CAs can play in that process, you’ll be well on your way to creating more secure browsing experiences and having the know-how to properly evaluate any type of CA you might come across.

Find out how the Keyfactor platform can modernize your PKI, prevent
certificate outages, accelerate DevOps security, and more.