Certificate Authority
SecurityCertificate Authority is a trusted organization that issues digital SSL/TLS certificates verifying the identity of websites, servers, and other entities on the internet. Browsers ship with a root store of trusted Certificate Authorities, and any certificate signed by one of them is accepted as valid. Examples include Let's Encrypt, DigiCert, Sectigo, and GlobalSign, each operating under strict auditing rules.
How It Works
When a website requests an SSL/TLS certificate, the Certificate Authority (CA) validates ownership of the domain using one of three methods: Domain Validation (DV) confirms control over the domain via a DNS record or email; Organization Validation (OV) also verifies the company exists; Extended Validation (EV) adds legal checks. Once verified, the CA signs the certificate with its private key, creating a cryptographic chain of trust.
Browsers and operating systems maintain a preloaded list of trusted root CAs. Any certificate issued by a CA whose root is in that list is automatically accepted. Intermediate certificates form the chain between the root CA and the end-entity certificate on your website, limiting exposure if an intermediate key is compromised.
Why It Matters for Web Hosting
Most hosting providers offer free DV certificates from Let's Encrypt as part of their plans, which is sufficient for personal sites, blogs, and small businesses. Ecommerce stores and regulated industries often pay for OV or EV certificates from commercial CAs for the stronger identity signals. When comparing hosting plans, check whether free SSL installation is automated, whether wildcard certificates are included, and whether the CA renewal is handled automatically.
Types of Certificate Authorities
- Root CA — the top-level trust anchor whose keys are preloaded in browsers
- Intermediate CA — signs end-entity certificates on behalf of a root, reducing root key exposure
- Free CA — Let's Encrypt, ZeroSSL, Buypass, offering automated DV certificates at no cost
- Commercial CA — DigiCert, Sectigo, GlobalSign, offering DV, OV, EV, and wildcard options with warranties and support
- Private CA — internal CAs used inside organizations for servers and devices not exposed to the public internet
Certificate Authority vs Self-Signed Certificate
A self-signed certificate encrypts traffic but is not trusted by any browser by default, causing security warnings. A certificate issued by a recognized Certificate Authority is automatically trusted because the CA's root is in the browser's trust store. Self-signed certificates are fine for internal tools or local development; public websites need a CA-issued certificate to avoid breaking the user experience.