Although Certificate Authorities (CAs) are central to the operation of the SSL industry and, in turn, the overall security of the Internet, casual Internet users probably don’t know a whole lot about them. They visit websites with HTTPS-enabled websites not realising the role CAs play in establishing that secure connection. Similarly, some website owners may buy an SSL certificate without really knowing where it came from.
Today we’re going to shed some light on the role of CAs, what they actually do behind the scenes, and why they’re so important. Read on to learn more.
The role of Certificate Authorities
CAs are trusted entities in charge of the signing, issuance, and revocation of SSL certificates. While a lot of third-party sites across the web deal with the promotion, sale, and management of SSL certificates, CAs are the ones who actually create and issue SSLs. (SSLs.com, for example, is partnered with a CA called Sectigo.)
Not only do CAs deal with the distribution of SSL certificates, but they also verify the identity of those seeking an SSL. Once verified, the digital certificate issued will contain information about the person or organization that owns the website. The extent of this verification and information displayed is dependent on the type of SSL you choose. While a Domain Validation (DV) level of certificate will confirm that someone owns a domain, Organization Validation (OV) and Enterprise Validation (EV) level certificates verify the organization behind the website, and require far more extensive background checks before an SSL is issued. It’s the CAs that carry out these checks.
So not only do CAs help in the creation of encrypted connections across the web, they help users assess the legitimacy of certain websites. When users visit a website, they can click on the little padlock in the address bar for more details about who owns it. SSL certificates also feature a digital signature from the issuing CA. So when users see that an SSL certificate was issued by a trusted CA, they can be safe in the knowledge that the website owners were vetted and verified, and they can trust the website.
Not only do CAs issue SSL certificates, it’s their job to revoke them if an issued SSL certificate is no longer considered trustworthy. They add such a certificate to a public list called a certificate revocation list, which clients (such as web browsers) can check before loading a web page. If someone tries to visit a webpage with a revoked certificate, the browser will give a warning to the user, advising them not to proceed because the certificate is no longer trusted.
How does a Certificate Authority become trusted?
Since we have so much faith in CAs to tell us whether or not a certificate or an organization is trusted, it’s fair to wonder why we should actually trust them. Who determines whether they are trustworthy and who keeps them in check? First off, there’s the CA/Browser Forum, the entity that regulates the SSL industry, providing guidelines concerning the issuance and management of SSL certificates. CAs must meet the forum’s baseline regulatory standards. Major browsers and operating systems also have their own list of regulations when it comes to trusting a CA (such as Apple and Microsoft). Many require that CAs undergo frequent audits to ensure that they comply with the necessary security standards.
If you’re wondering whether or not a CA is trusted, there are a number of ways to check. First, you can see whether they’re a member of the CA/Browser forum here. Individual browsers and operating systems also maintain individual lists of CAs they trust. For example, Apple, Mozilla, and Microsoft all have their own lists of CAs they consider trustworthy.
The importance of trusted CAs really can’t be understated. With the role they play in verification and the distribution of SSLs, CAs provide a means of keeping the SSL industry in check so that you can browse the web safely and securely.
If you’re looking to secure your site with an SSL certificate, check out the range of affordable SSLs we have on offer.