Certificate authority

Certificate authority

Certificate authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The most commonly encountered public-key infrastructure (PKI) schemes are those used to implement https on the world-wide web. All these are based upon the X.509 standard and feature CAs.

The clients of a CA are server supervisors who call for a certificate that their servers will bestow to users. Commercial CAs charge to issue certificates, and their customers anticipate the CA's certificate to be contained within the majority of web browsers, so that safe connections to the certified servers work efficiently out-of-the-box. The quantity of internet browsers, other devices and applications which trust a particular certificate authority is referred to as ubiquity. Mozilla, which is a non-profit business, issues several commercial CA certificates with its products.[1] While Mozilla developed their own policy, the CA/Browser Forum developed similar guidelines for CA trust. A single CA certificate may be shared among multiple CAs or their resellers. A root CA certificate may be the base to issue multiple intermediate CA certificates with varying validation requirements.

In addition to commercial CAs, some non-profits issue digital certificates to the public without charge; notable examples are CAcert and Let's Encrypt.

Large organizations or government bodies may have their own PKIs (public key infrastructure), each containing their own CAs. Any site using self-signed certificates acts as its own CA.

Browsers and other clients of sorts characteristically allow users to add or do away with CA certificates at will. While server certificates regularly last for a relatively short period, CA certificates are further extended,[2] so, for repeatedly visited servers, it is less error-prone importing and trusting the CA issued, rather than confirm a security exemption each time the server's certificate is renewed.

Less often, trustworthy certificates are for encrypting or signing messages. CAs dispense end-user certificates too, which can be used with S/MIME. However, encryption entails the receiver's public key and, since authors and receivers of encrypted messages, apparently, know one another, the usefulness of a trusted third party remains confined to the signature verification of messages sent to public mailing lists.

Worldwide, the certificate authority business is fragmented, with national or regional providers dominating their home market. This is because many uses of digital certificates, such as for legally binding digital signatures, are linked to local law, regulations, and accreditation schemes for certificate authorities.

Most popular SSL certificate authorities according to w3techs survey,


SL Authorities usage change since market change since
1-Nov-16 share 1-Nov-16
1 Comodo 12.20% 2.50% 43.40% 3.30%
2 Symantec Group 5.10%   18.20% -2.70%
3 IdenTrust 4.90% 1.20% 17.50% 2.50%
4 GoDaddy Group 2.50% 0.10% 8.80% -1.20%
5 GlobalSign 1.60%   5.70% -0.80%


Below are the major open source implementations of certificate authority software exist. Common to all is that they provide the necessary services to issue, revoke and manage digital certificates. 

  • DogTag
  • gnoMint
  • OpenCA
  • OpenSSL, an SSL/TLS library that comes with tools allowing its use as a simple certificate authority
  • EasyRSA, OpenVPN's command line CA utilities using OpenSSL.
  • r509
  • TinyCA, which is a perl gui on top of some CPAN modules.
  • XCA
  • XiPKI, CA and OCSP responder. With SHA3 support, OSGi-based (Java).
  • Automated Certificate Management Environment (ACME), a protocol for communications between its certificate authority and servers. Let's Encrypt provides reference open source software implementations for ACME: lets-encrypt-preview is a Python-based test implementation of server certificate management software using the ACME protocol, and boulder is a CA implementation, written in the Go programming language.

Leave a comment