Importantly, there is not just one type of certificate authority. We now have what’s known as public certificate authorities and private certificate authorities.
Both of these types of CAs play an important role in digital security, and while the way they function is ultimately the same, they are actually quite different — and most organizations will typically need to use both.
A public certificate authority is a third party that issues certificates to other organizations. Public CAs have no connection whatsoever to the recipients of their certificates and the certificates they issue are generally accepted as trusted across the internet.
The major reason for this trust is that public CAs must follow regulatory standards outlined by the CA/Browser Forum (CA/B Forum). The CA/B Forum was established in 2005 and its members include CAs as well as certificate consumers like Apple, Google, and Microsoft.
Currently, the CA/B Forum has a set of baseline requirements (which do get updated over time) that any certificate authority must meet in order to issue digital certificates that will be publicly trusted by web browsers. Part of these requirements includes the extent to which a public CA vets certificate recipients.
While following these requirements is the number one prerequisite for public CAs to achieve the necessary level of trust to issue widely accepted certificates, it is ultimately up to each certificate consumer (e.g. Apple for its devices and Safari web browser) which CAs and which certificates from those CAs should be trusted.
Organizations will obtain certificates from a public CA for any outward-facing use cases, such as a public website or a component of software that integrates with solutions from other companies or will be used by end customers.
A private certificate authority exists within the confines of an organization with the purpose of providing security for that organization. As a result, private CAs are internal to the organization itself and are therefore only trusted within that organization and can not be used for any external purposes.
This situation makes the use case for a private CA very different from the use case for a public CA. While an organization must obtain a certificate from a public CA to verify the authenticity of its external website, that same organization might use a private CA to secure internal resources, like a company intranet, inter-company communications, file sharing, access levels, and so on.
For instance, a company that requires users to authenticate themselves to log onto company-owned devices (everything from individual laptops to shared office computers or printers) can use a private CA to issue each person a certificate. Individuals can then use this certificate for authentication rather than having to enter a password each time. In this case, using certificates issued from a private CA is much more secure than using passwords, which are often weak (and therefore easy to hack) and lack any kind of central control by a security team.
Overall, using a private CA has become especially critical to maintaining security as workforces become more mobile and more connected devices come into play. That’s because using digital certificates for authentication gives organizations more granular control over access levels, allows security teams to set certain standards that get applied across the entire organization, and centralizes management to provide more visibility into security across the board.
Another notable difference between a public CA and a private CA is that because a public CA is a third party, organizations can pick a CA and request certificates without having to worry about the security details of how those certificates are issued or maintained — all of that falls on the third-party certificate authority. Traditionally, organizations that want to stand up a private CA do need to think through the security implications and procedures since they own that certificate authority.
However, organizations can now work with third parties that will set up and host a private CA for them, which eases many challenges associated with standing up a private CA while maintaining the security benefits of doing so.