What Is a Certificate Authority (CA)?

A Certificate Authority (CA) is the trusted third party that issues TLS certificates and vouches that a public key belongs to a particular domain. Browsers and operating systems trust a handful of CA roots — and that trust is what all of HTTPS rests on.

What a CA does

A CA verifies an applicant's control of a domain (and optionally the organisation), then issues a signed certificate. The signature is the CA's guarantee: "we have checked this, and the key belongs to this domain." How thorough the check is depends on the validation level (DV, OV, EV).

Roots and intermediates

CAs rarely issue directly from their root. Instead they use intermediate certificates: the root signs an intermediate, and the intermediate signs your certificate. This forms a certificate chain that the client follows up to a trusted root. The root is kept offline and protected, because it is the source of all trust.

Why browsers trust CAs

Every browser and operating system has a root store — a curated list of CA roots they trust. To get in, a CA must meet strict requirements (the CA/Browser Forum) and be audited continuously. It is an exclusive club, and membership can be revoked.

When a CA loses trust

If a CA misissues or breaks the rules, browsers can remove its root. This has happened to large, established CAs — Symantec (2018) and Entrust (2024) among them. The lesson: a CA's trustworthiness is about compliance history, not price. We expand on this in which CA you should choose. You can also control which CAs are allowed to issue for your domains with a CAA record.

How CertControl helps

CertControl shows which CA issued each of your certificates, watches the chain, and warns about expiry — so you always know who stands behind your trust, and when renewal is due.

Frequently asked questions

What is the difference between a root and an intermediate CA?

The root sits at the top of the chain of trust and is kept offline. Intermediates are signed by the root and used for day-to-day issuance, so the root is never exposed.

Can anyone become a CA?

No. A publicly trusted CA must be admitted to browser root stores under strict requirements and continuous auditing via the CA/Browser Forum.

Is an expensive CA more trustworthy?

No. Browser trust is identical. Several distrusted CAs were large, expensive providers. Compliance history matters more than price.

See the platform Book a demo