A Certificate Authority (CA) is a trusted organization that issues and signs SSL/TLS certificates. When a CA signs your certificate, browsers trust that your website is who it claims to be. Without CAs, there would be no way to verify that https://yourbank.com is actually your bank and not an imposter.
How the CA trust model works
- Root CAs are pre-installed in browsers and operating systems. Apple, Google, Mozilla, and Microsoft each maintain a list of trusted root CAs (the “root store”).
- When you request a certificate, the CA validates your domain ownership (DV) or organizational identity (OV/EV).
- The CA signs your certificate with its private key. This signature is the proof of trust.
- When visitors connect, their browser verifies the signature against its pre-installed list of trusted CAs.
If the CA is in the trust store and the signature is valid → padlock icon. If not → security warning.
Major Certificate Authorities
| CA | Market share | Free option | Notes |
|---|---|---|---|
| Let’s Encrypt | 63.9% | ✅ All free | Nonprofit, largest CA globally |
| GlobalSign | 22.2% | ❌ | Commercial, popular in Europe |
| Sectigo | 5.9% | Limited (ZeroSSL free tier) | Formerly Comodo, owns ZeroSSL |
| DigiCert | ~3% | ❌ | Enterprise-focused, owns Symantec’s CA |
| Google Trust Services | Growing | ✅ Via ACME | Google’s own CA |
| Buypass | <1% | ✅ Go SSL (180 days) | Norwegian CA |
Let’s Encrypt’s 63.9% market share makes it the dominant CA — more than the next five combined.
Why Let’s Encrypt changed everything
Before Let’s Encrypt (launched 2016):
- SSL certificates cost $50-500/year
- Validation required manual paperwork
- Only ~18% of websites used HTTPS
After Let’s Encrypt:
- Free DV certificates for everyone
- Fully automated via ACME protocol
- 86.9% of websites use HTTPS
- Over 1 billion certificates issued
Let’s Encrypt proved that domain-validated encryption should be a baseline, not a premium product. Use GetHTTPS to get a Let’s Encrypt certificate in your browser.
The CA/Browser Forum
The CA/Browser Forum (CA/B Forum) is the industry body where Certificate Authorities and browser vendors jointly set standards for certificate issuance. Key decisions include:
- Baseline Requirements — minimum standards all public CAs must follow
- Certificate validity reduction — voted to reduce max validity to 47 days by 2029
- Certificate Transparency — requires CAs to log all issued certificates to public logs
- Deprecation of weak algorithms — phased out SHA-1, MD5, etc.
Members include Apple, Google, Mozilla, Microsoft (browser side) and Let’s Encrypt, DigiCert, Sectigo, GlobalSign (CA side). Decisions require a supermajority vote from both sides.
Certificate Transparency
Since 2018, all publicly-trusted CAs must submit every issued certificate to Certificate Transparency (CT) logs — publicly auditable append-only logs. This means:
- Anyone can monitor what certificates are issued for their domain
- Mis-issued certificates are detectable (if a CA issues a cert for
google.comto someone who doesn’t control it, Google can see it in the logs) - Tools like crt.sh let you search CT logs for any domain
CT doesn’t prevent mis-issuance, but it makes it detectable — which is a strong deterrent.
How to choose a CA
For most websites, the choice is simple:
| Need | Recommended CA | How to get |
|---|---|---|
| Free DV certificate | Let’s Encrypt | GetHTTPS or Certbot |
| Free DV with longer validity | Buypass Go (180 days) | acme.sh or Certbot |
| OV/EV for compliance | DigiCert or Sectigo | Buy from their website |
| Automatic with Cloudflare | Cloudflare | Enable in Cloudflare dashboard |
Frequently asked questions
Can anyone become a CA?
Technically you can create your own CA, but browsers won’t trust it unless it passes the CA/Browser Forum’s Baseline Requirements and gets added to browser trust stores — a process that takes years, costs millions in audits, and requires maintaining strict operational security (offline root keys, hardware security modules, 24/7 incident response).
What happens if a CA is compromised?
The CA is removed from browser trust stores via software updates. All certificates issued by that CA become untrusted. Notable incidents:
- DigiNotar (2011) — hacked, issued fraudulent certificates for Google and other domains. CA was revoked and went bankrupt.
- Symantec (2018) — persistent mis-issuance issues. Google Chrome gradually distrusted all Symantec-issued certificates. DigiCert acquired Symantec’s CA business.
Root keys are stored in offline hardware security modules (HSMs) with physical access controls to minimize this risk.
Are all CA certificates equally trusted by browsers?
Yes, in terms of the padlock icon. A free Let’s Encrypt DV certificate and a $500 DigiCert EV certificate both show the same padlock in the address bar. Browsers trust all CAs in their root store equally for encryption purposes. The differences are in validation level (DV/OV/EV) and services (support, warranty), not in the encryption strength or browser trust.
How many CAs are there?
There are roughly 100-150 root CAs in major trust stores, but the market is heavily concentrated. Let’s Encrypt (63.9%), GlobalSign (22.2%), and Sectigo (5.9%) control over 90% of all issued certificates.