The Certificate Authority Ecosystem

Certificate Authorities (CAs) form the trust foundation of the PKI system. These organizations undergo rigorous audits to ensure they follow industry standards for validation, security, and operations. Root CAs maintain the ultimate trust anchors – root certificates pre-installed in browsers and operating systems. These root certificates sign intermediate certificates, which in turn sign end-entity certificates used by websites, creating a chain of trust from websites to trusted roots.

The CA/Browser Forum governs certificate issuance practices through baseline requirements and extended validation guidelines. This industry organization brings together Certificate Authorities and browser vendors to establish and maintain standards for certificate issuance, validation procedures, and technical requirements. Regular updates to these requirements address emerging threats and evolving web standards, ensuring the certificate ecosystem remains secure and trustworthy.

Certificate Transparency (CT) adds an additional layer of accountability to the certificate ecosystem. CT requires CAs to log all certificates they issue to public, append-only logs. This transparency allows domain owners to monitor for unauthorized certificates, security researchers to detect CA misbehavior, and browsers to verify that certificates have been properly logged. Modern browsers increasingly require CT compliance, making it an essential component of certificate issuance.

The business model of Certificate Authorities varies significantly. Commercial CAs like DigiCert, Sectigo, and GlobalSign charge for certificates, providing various support levels and additional services. Non-profit CAs like Let's Encrypt provide free certificates with automated issuance, democratizing web security. Some organizations operate private CAs for internal use, maintaining complete control over their certificate infrastructure. Each model serves different needs within the broader ecosystem.