What is a Certificate Authority? How PKI Trust Works
A Certificate Authority (CA) is a trusted organisation responsible for issuing and signing digital certificates. When your browser shows a padlock icon, it is because a CA has verified the identity of the server you are connecting to. Understanding how CAs work is essential for anyone managing websites, APIs, or internal services.
What Does a Certificate Authority Actually Do?
A CA performs three core functions: it verifies the identity of certificate applicants, it digitally signs certificates with its private key, and it maintains Certificate Revocation Lists (CRLs) to invalidate compromised certificates. When a CA signs your certificate, it is effectively vouching for your identity to every browser and device that trusts that CA.
The trust flows from the CA's root certificate, which is pre-installed in operating systems and browsers. As of 2026, there are roughly 150 root CAs trusted by major browsers — each one responsible for millions of downstream certificates.
The PKI Trust Chain Explained
Public Key Infrastructure (PKI) is the system of roles, policies, and procedures that governs how certificates are created, managed, and revoked. The trust chain — also called the certificate chain — works as follows:
- 1Root CA — The highest level of trust. Root certificates are self-signed and embedded in OS/browser trust stores. Examples: DigiCert Root G5, ISRG Root X1 (Let's Encrypt).
- 2Intermediate CA — Signed by the root CA. Used to issue end-entity certificates. This protects root CAs from direct exposure — if an intermediate is compromised, only it is revoked, not the root.
- 3End-Entity Certificate — The certificate on your server. Signed by an intermediate CA. Contains your domain name, public key, expiry date, and subject details.
When a browser connects to your site, it walks this chain from your certificate up to a trusted root. If any link in the chain is broken — a missing intermediate, an expired certificate, or a revoked issuer — the connection fails with a trust error.
Types of Certificate Authorities
Public CA
Trusted globally by browsers and OS. Examples: DigiCert, Sectigo, GlobalSign, Let's Encrypt. Certificates from these CAs work for public-facing websites.
Private / Internal CA
Used within organisations for internal services. Not trusted by default externally. Common in enterprise networks using tools like Microsoft AD CS or HashiCorp Vault.
Free CA
Let's Encrypt is the most popular free CA, issuing short-lived (90-day) certificates. Ideal for most websites but requires automation for renewal.
Government CA
Some governments operate their own CAs for official websites. Not always universally trusted — usage is typically mandated by national policy.
How CA Validation Levels Work
Not all CAs verify identity the same way. There are three validation levels, each with different levels of identity assurance:
| Level | Verification | Best For | Issuance Time |
|---|---|---|---|
| DV (Domain Validated) | Domain ownership only | Blogs, apps, APIs | Minutes |
| OV (Organisation Validated) | Domain + company identity | Business websites | 1–3 days |
| EV (Extended Validation) | Full legal entity verification | Finance, healthcare | 1–2 weeks |
What Happens When a CA Is Compromised?
CA compromise is rare but devastating. In 2011, Dutch CA DigiNotar was breached — attackers issued fraudulent certificates for Google, Yahoo, and others. The CA was subsequently removed from all major browser trust stores, rendering every website with a DigiNotar certificate unreachable.
To protect against this, modern browsers use Certificate Transparency (CT) logs — public, append-only records of every certificate issued. Any certificate not in CT logs will be rejected by Chrome and Safari. This makes it much harder for a rogue CA to issue certificates undetected.
Choosing the Right CA for Your Use Case
Personal blog or portfolio
Use Let's Encrypt — free, automated, and universally trusted. Pair it with Certbot or ACME clients for zero-maintenance renewal.
SaaS product or startup
Let's Encrypt or DigiCert DV. Automate renewal with ACME. If you need OV for customer trust, use Sectigo or GlobalSign.
Financial services or healthcare
Consider EV certificates and OV certificates from DigiCert or Entrust. These provide higher assurance visible in certificate details (though browsers no longer show the green bar).
Internal microservices
Deploy a private CA using HashiCorp Vault, AWS ACM Private CA, or cert-manager on Kubernetes. This gives you full control over certificate lifecycle.
Key Takeaways
- CAs form the backbone of internet trust through PKI — without them, encrypted connections would be unverifiable.
- The chain of trust runs from root CA → intermediate CA → your certificate.
- Missing intermediate certificates are one of the most common causes of SSL errors.
- Certificate Transparency logs make CA mis-issuance detectable and accountable.
- Choose your CA based on your threat model, compliance requirements, and automation capabilities.
Monitor certificate chain health automatically
CertNotify checks your full certificate chain — including intermediate validity — and alerts you before issues affect users.
Check your certificate chain →