SSL Certificate Authority — What You Should Know About SSL Authority Organizations

Understanding the role an SSL certificate authority plays in public key infrastructure (PKI) and how to choose the best certificate authority for your site

If you’re trying to understand what an SSL certificate authority is, let’s consider a few analogies: If public key infrastructure (PKI) was a tree, certificate authority (CA) would be its trunk; if it was a car, CA would be its chassis; if it was a chair, CA would be its sturdy frame. Well, we’re getting too much off track, but you get the point, right?

Certificate authorities (CAs) are the most crucial element of modern cryptography since they’re the ones that manage and issue digital certificates. Although certificate authorities issue many other forms of encryption and authentication certificates, we’re going to see the role of a CA in terms of SSL/TLS certificates.

SSL Certificate Authority — The Most Crucial Element of the SSL Ecosystem

Let’s say that you go on the internet to purchase an expensive pair of shoes that you’ve wanted for a long time. For that, you go to a search engine and enter the name of the shoe brand. A result pops up on the top of the list that claims to be the brand’s official website. You go to that website, search for your favourite shoes, select your size, and order it by paying online.

Now, what’s guarantee do you have that the website is what it says it is? Is it really the site of the official brand or is it an imposter? That’s where SSL certificate authorities come into play. SSL certificate authorities are the originator of SSL certificates. Their role isn’t just limited to the issuance process — it goes way beyond that and starts well before the issuance process.

Before issuing an SSL certificate, a certificate authority conducts a thorough vetting process of the organization or individual who wants to purchase an SSL certificate. However, the level of verification they need to perform totally depends upon the type of SSL certificate they’re being asked to issue.

If someone wants to purchase a domain validation (DV) SSL certificate, the CA just verifies the ownership over the domain and then, once it’s verified via email, it issues the certificate. This process is fully automated and, therefore, can be completed within minutes. As far as organization validation (OV) and extended validation (EV) SSL certificates are concerned, however, the CA verifies business registration and credit reports to check the authenticity of the organization applying for certificate. This usually takes up to three days for OV and five days for EV.

Upon successful validation, the certificate authority issues a certificate. This validation process is, perhaps, the most crucial part of the entire issuance process. If a certificate is issued to a wrong or fraudulent entity, then it could create distrust in the entire SSL industry.

What Does It Take to be an SSL Certificate Authority?

Knowingly or unknowingly, billions of internet users around the world place their trust in certificate authorities. There must be some standards or criteria they have to meet, right? Well, you’re right. To be a certificate authority, you must fulfil criteria set by body consisting of browsers, operating systems, and mobile platform developers. Only upon authorization by these entities, you’re eligible to become a certificate authority (CA).

One of the first thing you need to have as a CA is a multi-million dollar infrastructure that consists of:

• sizeable operational elements,
• hardware,
• software,
• policy frameworks,
• practice statements,
• auditing,
• security infrastructure, and
• personnel.

Combined together, these elements are regarded as a trusted public key infrastructure).

How Do You Select the Best SSL Certificate Authority for Your Website?

Now, this is the question that spins the heads of many, and it’s completely understandable! After all, there are so many certificate authorities to choose from — how do you decide between them? Well, this question won’t be as difficult once you know what you’re looking for in an SSL certificate authority.

Here are several key points to consider when selecting the best certificate authority for the security of your website:

History & Reputation

There have been incidents in the past where certificate authorities issued certificates and it turned into a disaster. Such incidents are quite rare but, unfortunately, they do happen. That’s why checking the history and reputation of a CA is a must.

Security Measures Taken by CA

CAs store cryptographic keys of millions of websites around the world. These cryptographic keys are very sensitive and could cause a mayhem if compromised.

Popularity

At first glance, there might not seem much sense behind this but there surely is. If a large number of people use a particular CA’s certificates, it likely means that they feel comfortable placing their trust in that particular certificate authority. This wouldn’t happen if a CA doesn’t have good reputation or is unreliable. Therefore, popularity can be a good metric to judge how good a CA is.

Strictness Followed in the Validation Process

No website administrator likes to undergo stringent validation process, right? However, you need to see the bigger picture here. A CA who makes you go through a rigorous validation procedure is likely to be following the guidelines set by CA/Browser Forum. Therefore, it decreases the chance of wrong issuance and protect overall security of your website. 

The SSL Authority’s Level of Support and Availability

Dealing with SSL certificates can get tricky at times, especially if you’re doing it for the first time. In such times, you need more than documents and support forums, you need to get support from an expert support who can intervene and help you solve your problem. Some certificate authorities, including us at Comodo CA, offer 24/7/365 customer support through chat and email. If you’re someone who needs or will need this kind of support, this should be a criteria when selecting the right CA.