Back to Learn

What Is a Certificate Authority (CA)? | NOC.org

What Is a Certificate Authority?

A certificate authority (CA) is a trusted organization that issues digital certificates used to verify the identity of websites, servers, and other entities on the internet. When you visit a website over HTTPS, your browser checks the site's SSL/TLS certificate to confirm that the certificate was issued by a trusted CA. If the certificate is valid and the CA is trusted, the browser establishes an encrypted connection. If not, the browser displays a security warning.

Certificate authorities are the foundation of trust on the internet. Without them, there would be no reliable way to verify that the website you are connecting to is actually the site it claims to be, making encrypted communication vulnerable to man-in-the-middle attacks.

How Certificate Authorities Work

The process of obtaining a certificate from a CA follows a standard workflow:

  • Certificate Signing Request (CSR). The website owner generates a CSR on their server, which includes the domain name, organization details, and a public key. The private key stays on the server and is never shared.
  • Identity verification. The CA verifies that the requester controls the domain. Depending on the certificate type, this may involve DNS validation, email confirmation, or in-depth organizational vetting.
  • Certificate signing. Once verified, the CA signs the certificate with its own private key. This signature is what browsers and operating systems use to confirm the certificate's authenticity.
  • Installation. The signed certificate is installed on the web server, enabling HTTPS connections. Browsers verify the certificate against the CA's root certificate, which is pre-installed in the browser or operating system's trust store.

Types of Certificates

CAs issue several types of certificates, each with a different level of identity verification:

  • Domain Validated (DV). The CA verifies only that the requester controls the domain — typically through a DNS record or email challenge. DV certificates are the fastest and cheapest to obtain. Let's Encrypt issues DV certificates for free.
  • Organization Validated (OV). The CA verifies domain control and also confirms the organization's legal identity. OV certificates display the organization name in the certificate details, providing more assurance to users.
  • Extended Validation (EV). The CA performs the most rigorous verification, including legal identity, physical address, and operational status. EV certificates were historically shown with a green address bar, though most browsers have moved away from this visual distinction.

Major Certificate Authorities

The certificate authority ecosystem includes both free and commercial providers:

  • Let's Encrypt. A free, automated, open CA operated by the Internet Security Research Group (ISRG). Let's Encrypt issues DV certificates and has become the most widely used CA by volume, largely due to its ACME protocol that enables fully automated certificate issuance and renewal.
  • DigiCert. A major commercial CA that provides DV, OV, and EV certificates. DigiCert is widely used by enterprises and high-traffic websites that require higher assurance certificates.
  • Sectigo (formerly Comodo CA). One of the largest commercial CAs, offering a full range of certificate types for websites, code signing, and email encryption.

The Chain of Trust

Browsers do not trust certificates directly — they trust a hierarchy. At the top are root CAs, whose root certificates are embedded in browsers and operating systems. Root CAs issue intermediate certificates, which in turn sign the end-entity certificates installed on websites. This chain — root, intermediate, end-entity — is called the chain of trust. When your browser validates a certificate, it walks up the chain to verify that each link is signed by a trusted authority.

CAA Records

A CAA (Certificate Authority Authorization) DNS record lets domain owners specify which CAs are allowed to issue certificates for their domain. For example, you can publish a CAA record that authorizes only Let's Encrypt, preventing any other CA from issuing a certificate for your domain. This is an important defense against certificate misissuance, whether accidental or malicious. All CAs are required to check CAA records before issuing a certificate.

Properly configured CAA records, combined with HSTS and strong security headers, form a solid foundation for transport security.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started