A Certificate Authority (CA) is a trusted entity that issues digital certificates — the files installed on web servers that enable HTTPS. When a browser connects to an HTTPS site, it verifies that the site's certificate was issued and signed by a trusted CA. This is the chain of trust that makes HTTPS secure.
How the CA Trust Model Works
- Browser and operating system vendors (Google, Apple, Mozilla, Microsoft) maintain a list of root CAs they trust.
- These root CAs issue certificates to intermediate CAs.
- Intermediate CAs issue certificates to websites.
- When a browser sees a website's certificate, it follows the certificate chain up to a trusted root CA.
Major Certificate Authorities
- DigiCert — One of the largest CAs, known for premium certificates.
- Sectigo (formerly Comodo) — High volume issuer.
- Let's Encrypt — Free, automated, non-profit CA. Issues ~400 million certificates.
- GlobalSign, Entrust, GoDaddy — Other major commercial CAs.
What Happens When a CA Is Compromised?
If a CA is compromised (as happened with DigiNotar in 2011), browser vendors can revoke trust in that CA, rendering all certificates it issued invalid. This is a drastic but necessary safety measure.
Certificate Revocation
CAs can revoke certificates before their expiry date if the private key is compromised. Revocation is communicated via CRL (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol).