What is the point of Certificate Authorities?

If you’ve been looking to buy an SSL certificate for the first time, you’ve likely come across a lot of unfamiliar jargon. A key term is Certificate Authority (commonly referred to as CAs). What are these mysterious organizations and are they really that important? The answer to that is a resounding yes! Read on to find out why. 

Maintaining the system

CAs are the bodies responsible for creating, signing, issuing, revoking SSL certificates across the web. Basically, they help maintain the whole public key authority (aka PKI - the framework that underpins SSL) system and ensure everything runs smoothly, keeping million of websites secured across the web. 

Sounds like a big job. But what exactly does it involve? It’ll probably be pretty obvious if you’ve ever gotten an SSL, but let's take a closer look. 

The lifecycle of an SSL certificate

The role of CA boils down to the lifecycle of an SSL. When you first purchase an SSL, you will need to choose a validation level. This ranges from domain validation (DV), which is the most basic level, to Extended Validation (EV), which is the most extensive form. It’s the issuing CAs who perform validation checks, with DV simply checking that you have access to the admin email of the domain, while EV involves as verifying government records and more.

Once activation and validation are complete, the CA issues the SSL. They issue the SSL with a special digital signature that shows anyone or anything like website visitors or web browsers that the SSL is issued and maintained by a trusted source. They also program the SSL with an expiration date. Once the SSL expires, it will no longer be valid.

Another thing that can render an SSL invalid is revocation, something the CA is also in charge of. SSL certificates can be revoked for numerous reasons, such as encryption keys becoming compromised, an error with the certificate itself, or if the SSL owner is no longer considered trustworthy. CAs also maintain a list of revoked SSL certificates that it shares with major web browsers so they know if a certain SSL is no longer valid. 

The role of trust

When you get an SSL, not just any CA will do. It’s of the utmost importance that a CA is considered trustworthy by the CA/Browser Forum, the entity that regulates the SSL industry, as well as major web browsers and tech companies. If a CA isn’t trusted, its SSL certificates are basically rendered useless as they won’t work in most web browsers. Most browsers these days flag sites without SSL or that have an untrusted SSL as not secure. Not ideal. 

So, how do you become trusted? Basically meeting the regulatory standards of the aforementioned CA/Browser Forum is a start. After that, individual browsers like Chrome and Firefox have their own guidelines as to what constitutes a trustworthy CA.

Conclusion

This was just a basic overview of what a CA does - a lot of vital work. So if you’re in the market for an SSL, don’t underestimate the role of CAs. Research who they are and their level of trust. Otherwise, you could end up with a certificate that doesn’t even work.