Domain certification is one of the chief concerns of a contemporary webmaster, but the SSL certificates we use on a daily basis don't appear out of thin air. Every modern SSL certificate is made by a trusted certificate authority (or certification authority) - a company that specialises in PKI and the production of digital certificates.
With this article, we aim to explain what is a certificate authority company, why it's good to be aware of its purpose, how these entities operate, and why they're necessary for the overall security of the Internet.
The topic is particularly important for users that may still be looking into getting their first SSL certificate solutions. Choosing your own certificate authority is, after all, a matter of needing or wanting the features that a company might offer. Simply being aware of the different products that are available will make you, in turn, a more informed and satisfied buyer.
The value that certificate authorities bring to the table with their SSL certificates is downright immense, security-wise, and you'll learn precisely why this is the case.
- What does a Certificate Authority do?
- How can a Certificate Authority help you?
- How many Certificate Authorities are there?
- Are all Certificate Authorities good enough?
- Can you get Digital Certificates without a Certificate Authority?
- How to Get Digital Certificates, The Easy Way
- Resources to Help Choose the Right Certificate Authority
- What should the end-user focus on, in regard to their Certificate Authority?
- What is a 'Private Certificate Authority'?
- What is 'Certificate Revocation'? How does that work?
- Closing Thoughts
Certificate Authorities: Everything You Need to Know
In the simplest terms possible, a certificate authority is an entity that issues digital certificates. These digital certificates are, in turn, used to apply the modern PKI (public key infrastructure) security standards to web servers. A common example of SSL certificates being used in such a way is that of HTTPS - a secure web browsing pipeline.
Every major certificate authority (CA) is effectively a trusted third party. Trusted third parties are the backbone of public key infrastructure, in that they provide a wide variety of SSL certificate products to companies, governments, institutions, and - indeed- individuals.
A digital certificate is used to provide a cryptographic link between a domain and the visitor that is using its service (website, app, etc.), which is accomplished by combining the certificate's secret private key and the widely available public key. This, in turn, makes malicious activity on the website far more prominent.
The techniques deployed by malefactors have grown increasingly sophisticated as the digital supply chain has grown to equal, even surpass, the complexity and inherent vulnerability of its analog counterpart. - Carolyn Ballo via PKI Solutions
We have already gone into significant detail on what SSL/TLS certificates are, how they work, and how they've come to be. The important bit to remember here is that the goal of any given certificate authority is to continuously verify whether a domain is trustworthy and if any disallowed changes are being done to the data pipeline, all of which (and more) is accomplished via digital certificate implementations.
What does a Certificate Authority do?
A certificate authority's job is to issue server certificates (i.e. SSL/TLS products) that certify the ownership of a given domain. There are, of course, root certificates that do not come from public certificate authority entities, but those are a story for another time.
For the vast majority of domain owners, the important thing is to get digital signatures that prove their respective security details and to verify ownership of the domain itself.
The exact nature of the certificate authorities' engagement with your particular client certificate will vary a great deal depending on the specific signed certificate you may be attempting to get. There's a variety of different SSL certificates available that fulfill different security niches.
The simpler the website, the cheaper the certificate
A user that wishes to secure a simple blog website will, for example, have no need for advanced certificate management features. Or for high-end extended validation solutions, for that matter. Instead, getting a domain validation certificate will do the trick just fine.
In the case of a domain validated SSL, then, the certificate authority will simply verify your ownership of the domain and be done with it. A high-grade enterprise solution with extended validation, however, will incur a comprehensive look into your business details before issuing digital certificates of any sort.
Obviously, the nature of these lookups betrays the obvious difference between validation types: price. The more work that needs to be done before your signed certificate is made available, the pricier the certificate is in the first place.
That said, the more advanced certificates also come with increasingly more valuable tools and security features that enterprise-grade clients may end up needing in the long run. We mentioned certificate management beforehand, but this really is a major concern for webmasters that are handling multiple domains with dozens of parallel subdomains running all at once.
How can a Certificate Authority help you?
In broad, general terms, reaching out to certificate authorities is your first step towards establishing your own domain's trustworthiness. Implementing a signed certificate onto your domain will immediately enable HTTPS, which is a must-have.
Modern web browsers alert their users that a website is unsafe if there's no HTTPS in place. It should be plenty obvious that the first thing a fresh visitor (and, more importantly, potential customer) sees when they visit your website ought not to be a security warning.
On top of providing authority, server certificates have also proven to be an important SEO boon. Namely, Google announced its plans to take HTTPS implementations as a major consideration way back in 2014, so it's hardly a surprise that domain owners that have SSL/TLS certificates in place generally can get better SEO results, too.
No matter which particular certificate you choose, simply enabling network security on your domain will almost certainly lead to increased conversions in the long run. And that's just a side-effect to the all-important promise of digital security. Both for you, and for your visitors and clients.
Your own certificates, then, lead not only to a vastly improved user experience for your visitors, but may also play a role in your search engine performance in the long run.
How many Certificate Authorities are there?
There are over 100 currently active certificate authorities operating across the globe. The most prominent and important ones, however, are featured directly at SSLTrust:
The vast majority of forward-operating and public certificate authorities offer products recognized by all modern (and up-to-date) web browsers. Though there is a bit of consolidation present in this space, in that one domain-validated server certificate won't differ all that much from another, this is the effect that a universal certificate validation process has on the market.
For users, it is also a total non-issue. It's a simple statement of fact that, with the way contemporary certificate authority works, most users will be perfectly happy with any root certificate authority on the market.
A Thawte SSL will deliver much of the same protection that a DigiCert SSL would, at a lesser price. We mentioned before that the specific feature list is where important certificate differences lie. To that end, though Thawte may be cheaper, it also doesn't come with a comprehensive set of extra tools and features that DigiCert products have by default.
Each user and domain owner will weigh these differences however they see fit. In the end, as long there are CA certificates in place, the domain in question will be significantly harder to breach than it otherwise would've been.
Are all Certificate Authorities good enough?
As long as you choose a well-regarded and well-established brand, you generally cannot go wrong with any of the certificate authorities on offer.
Of course, it's never a bad idea to look for reviews left by the users of a particular public certificate authority. On top of that, though, all security breaches and potential future problems are cataloged and kept track of by dedicated web security outlets, such as SSLTrust's very own blog site.
Even the most lenient of lookups will get you a solid idea of what might be happening in regard to a specific certificate authority. Potential issues, then, are telegraphed well in advance in most cases, and it's a reasonably safe assumption that any public certificate authority that you might see recommended online will be a good choice.
Trusted third parties' role in PKI
PKI or public key infrastructure is the technology that allows us to authenticate users and devices in a digital context. The very pillar of PKI is the existence of a trusted third party that can digitally sign files that certify the fact that a particular cryptographic feature belongs to a particular cryptographic entity. Or, in other words, that there's a key that belongs to a device.
Certificate authorities fill the role of a trusted third party in this case. Without them, the entire system of PKI would fall apart, because nobody could verify anybody else's identity, and with that, whether they are cleared to access certain features or content. This is accomplished industry-wide through the use of the X.509 standard, which is maintained by the Internet Engineering Task Force, as detailed via RFC 3280.
A certificate authority, then, is the source of a key pair that consists of a private key and a public key, as well as the most accessible way of setting up a valid certification path for the person or entity that is making the certificate requests in the first place.
Can you get Digital Certificates without a Certificate Authority?
Whereas all certificates issued by a certificate authority carry a certain amount of weight through brand validity alone, it's always worth remembering that you can get other certificates, too.
It's a little-known fact that virtually anybody can issue digital certificates in the first place. This is where self-signed certificate solutions come from, as users can freely sign certificates whenever they choose.
Digital signatures are precisely just that - digital signatures. In practice, this means that any company or individual can set up a way to issue individual certificates if they want or need to do so. However, the fact that they're not a trusted CA will also mean that said self-signed certificates won't be useful as a general product.
This makes them good for local enterprise setups or dedicated intranet instances, but not much else. The ability to create certificates isn't special on its own, but the presence of a trusted third party in the given certificate chain is.
Somewhat more useful than self-signed certificates are free SSL/TLS solutions that you can find on the Internet. These are often open-source solutions that can reasonably well, but they don't have the same value proposition as products provided by certificate authorities.
Some Certificate Authorities offer free certificates, but beware: these free offerings come without any personalized technical support and have potentially onerous restrictions on the number of certificates that you can issue. - Corey Bonnell via PKI Consortium
Consider the chain of trust
The so-called chain of trust is a security hierarchy that informs us how the issuance process moves on from CAs over root certificates all the way to certificate templates and private keys.
Any given chain of trust consists of three main security elements:
- Trust anchor/trusted third party: in effect, the certificate authority of your choice
- Intermediate certificate: a sort of a buffer between the root CA and CA certificates
- CA certificates: final products released to requesting entities
If you'd like to see a real-world example of a chain of trust, you can simply inspect an HTTPS-enabled website. Check its root certificate with your browser, and you should be greeted by a window that describes the given chain of trust.
Naturally, a private certificate authority that's - for whatever reason - not a trusted third party, may have a different chain of trust. Or a complete lack thereof, in some cases.
Since all of this information is readily available, you can make an informed decision about practical implementations of root certificates on the go.
Your fast-track to getting a private key in place
For an average user that simply wishes to get a proper CA certificate, the process is simple. Depending on your SSL of choice, it might even be done in a matter of minutes.
Right now, a certificate authority can set up a private key and a public key pair virtually immediately, making the issuance process a breeze compared to how it used to be. The vast majority of users - especially non-enterprise entities - can protect their domain in record time.
So, where would you start?
How to Get Digital Certificates, The Easy Way
It all begins with your certificate signing request.
The certificate signing request (CSR) is a dedicated standardised form that essentially kickstarts the process of issuing certificates. For an authority CA to be able to process your certificate request, you will need to fill out the CSR. Afterward, you will get to generate a unique certificate request code to share with the certification authority of your choice.
The CSR allows any certification authority to set up all the necessary details for the issuance process. It's worth pointing out that, since the form is universal, you can make yours wherever, and as long as it's fully filled out and properly formatted, it's going to work just fine until your business/domain details change.
To make the process as easy and streamlined as possible for you - the end-user - we've got a dedicated CSR page right here at SSLTrust. All you need to do is to visit the page, fill out the CSR itself, and you'll have taken the crucial first step towards getting your very own certificate issuance with a trusted CA certificate, to boot.
Resources to Help Choose the Right Certificate Authority
Now, if you've come this far, then you're probably in need of advice. Thankfully, that's precisely the area where we can help.
Namely, SSLTrust offers a dedicated - and comprehensive - look at all the main certificate authorities available on the market. For broad, wide-sweeping overviews, head on over to this page and you should have a solid idea of what your next step ought to be.
Enterprise-oriented customers will find much to enjoy with dedicated DigiCert solutions, which offer truly high-end features at an appropriate cost. On the other hand, securing a simple blog or even a small-time business website will be easy, cheap, and fast if you follow our advice and choose Thawte or Comodo SSLs.
Will your Certificate Authority help with potential issues?
Absolutely. One of the greatest boons that the end-user gets when they decide to get an SSL/TLS certificate from a mainline CA is that they can count on top-end customer support.
By partnering with a trusted Certificate Authority, you can rest assured that you will receive personalized assistance from a support representative to overcome any challenges that are encountered when securing your website and assist you with properly configuring HTTPS. - Corey Bonnell via PKI Consortium
In fact, if you choose to get your certificates from a dedicated security provider such as SSLTrust, we even offer our own team of security experts, should you need them.
It's the goal of every disparate entity present during the issuance process that everyone is secured on the Internet at all times. So, it's in your CA's best interest to clear things up, too - as is ours.
What should the end-user focus on, in regard to their Certificate Authority?
You - the end-user - should primarily focus on finding the solution that is right for your specific use case. Here at SSLTrust, we've dedicated considerable resources to making that a possible and viable option for virtually everyone.
It's absolutely crucial to note that there's no need to over-spend on website security. To that end, interested parties may wish to check out the following shortlist:
- Identify the type of website you are attempting to secure.
- Identify the specific features you need to keep your visitors safe.
- Reference the list of available CAs and consider the SSL certificates they have in store
- Complete your CSR
That's all there is to it. It's in everyone's best interest for you to establish a secure website that leverages PKI to its fullest extent, after all.
What is a 'Private Certificate Authority'?
For the vast majority of non-enterprise users, the notion of a private certificate authority will mostly be entirely irrelevant. A private CA is precisely just that: a private CA. One that isn't generally considered to be a trusted third party, and cannot issue certificates outside of the context in which it has been established.
Namely, whereas trusted root certification authorities offer widely available SSL solutions to a massive array of potential customers, a private CA is an onboard issuance system or authority that issues certificates locally, to its own parent company.
Private CAs mostly aren't a consideration for the general consumer
Indeed, many global enterprises have their own private CA that issues certificates so they don't need to resort to a dedicated certificate store.
For large, globally-spanning enterprises that can manage certificates without the help of another trusted third party, it makes perfect sense to set up a dedicated entity that issues certificates for the enterprise's own networking setup.
It also follows that, for a private CA, the general public simply isn't the target audience. It's good to be aware of a private CA's admittedly minuscule role in modern PKI, however.
What is 'Certificate Revocation'? How does that work?
We've tangentially covered the topic of certificate revocation on the SSLTrust blog, but the gist of it is that, as cryptography progresses, previously relevant and valuable certificates become outdated. Not just due to progressing security standards, either.
Once a new SSL/TLS solution supersedes its predecessors for whatever reason, the old certificate is added to the certificate revocation list, so that everyone knows it is not to be issued in the future.
Revocation States and Nuances
As per RFC 5280, there are two different states that a "revoked" certificate can be described as.
First, is the actual revocation, where the certificate is indefinitely and irreversibly revoked. There are multiple reasons this could happen to an SSL. For example, in some instances, a CA could improperly issue the certificate and need to offer reparations to affected parties. Alternatively, this could also happen due to someone's inability to adhere to policy requirements, or if the original domain owner is no longer in sole possession of the given domain.
Alternatively, the second revocation state is that of a certificate being temporarily put on hold. This is a reversible status that will invalidate a given SSL solution for a little while, such as in the case of the domain owner potentially losing their private key, or if they suspect that the private key may have been compromised. Either way, once the issue is resolved, the certificate revocation list can be updated, and the SSL on hold can then be reinstated.
Closing Thoughts
We hope this article helps you compartmentalize all the disparate information about certificate authorities that is out there.
Really, it all boils down to the notion of having a trusted third party that maintains the public key infrastructure, and issues domain ownership proof via SSL/TLS certificates. Everything else is optional fluff, for better or for worse, and most domain owners can carry on just fine with knowing the bare minimum.
An informed buyer, however, is a valuable buyer. Simply by using the resources we've provided here you can figure out what the very best CA and SSL may be for you specifically. That way, you won't overspend on a certificate that would underdeliver.