Redirecting you to

Resource Library

Looking for something? Search or browse our extensive library of resources

Start typing to search tags.

Advanced Filters

Filter by Tag

Clear Selection

Filter by Date Range

Filter by Author

Clear Selection
  • Learn More

    Understanding the Different Types of Certificate Authorities 

    Blog Post from Sectigo

    Blog Post Jul 28, 2023

    Establishing trust online is a crucial component of collaboration in the digital age. From using a third-party vendor to shopping online to communicating via email, companies and individuals rely on this trust to do business. How can they know they are communicating with the right person and not an actor behind a phishing scheme?

    A certificate authority (CA) plays a vital role in making this happen. CAs follow strict industry standards, verify identities, and issue digital certificates. Here is your guide to what a CA is, why it matters, and the different types of CAs available today.

    What Is a Certificate Authority (CA)?

    Certificates ensure a system is who they say they are, but the system must also be assured that the certificate itself is genuine. This is where trusted third parties come into play. Certificate authorities are independent bodies that issue and vouch for certificates.

    As a vital component of the public key infrastructure (PKI), CAs create digital certificates that cryptographically link public keys with the owners’ identities. The CA is responsible for validating the identity of the entity associated with a given public key and issuing the digital certificates that attest to this identity. The CA follows specific protocols to verify the requester's identity before issuing the certificate. This protocol involves checking official documentation or performing a background check.

    CAs also have mechanisms for revoking certificates. Revocation happens when a key associated with a certificate is compromised or if the entity that was issued a certificate no longer exists.

    Importance of Certificate Authorities

    CAs play a crucial role in ensuring internet security. Certificates can secure digital signatures and establish secure network connections via protocols such as HTTPS. 

    Here are some of the top reasons why CAs are critical in the digital world:

    • Establishing trust. CAs provide the foundation of trust on the internet. For example, when users connect to a website, their browser trusts the website if it has a valid certificate issued by a trusted CA. Without this mechanism, it’s hard to establish trust between two parties that have never interacted.
    • Verifying identity. Certificate issuance requires verifying the requester’s identity. This ensures that the entity requesting a certificate is who it claims to be.
    • Preventing data theft. Secure connections established using certificates help prevent unauthorized data access. When data is sent over a secure connection, encryption makes it unreadable even if bad actors successfully intercept it.
    • Protecting against scams. CAs help protect users against phishing attacks and other scams. When users navigate websites, they can be confident the site is legitimate and is not a malicious imitation built to steal personal information if it has a valid certificate.
    • Revoking certificates. If a certificate is issued incorrectly or the private key is compromised, the CA can revoke the certificate and prevent further use.


    The Different Types of Certificate Authorities

    Each type of CA and the certificates they issue offer pros and cons. Organizations need to consider which is best depending on their goals, industry regulations, and the level of trust required. 

    Below, we separated the types of CAs based on function, authority, products, and hierarchy to more clearly explain the advantages and drawbacks of each type of certificate.

    Types by Function

    • Domain validated (DV) CAs. DV certificates are simpler and require less rigorous checking. DV CAs issue certificates after validating only the ownership or control over the domain for the requested certificate. DV certificates are usually cheaper and easier to obtain but provide lower trust because they don’t include the identity of the organization that owns the domain.
    • Organization validated (OV) CAs. OV CAs go a step beyond DV CAs by verifying organizational details such as name, legal existence, and physical location in addition to domain ownership. OV certificates offer a higher level of trust than DV certificates because they associate the domain with a specific organization. However, they are more expensive and take longer to issue.
    • Self-signed CAs. A self-signed certificate is not issued by a recognized CA. Instead, the entity that will be using it generates and signs it, which means there is no external verification of the certificate information. As a result, self-signed certificates are typically not trusted by web browsers or other software, and they generate a warning when users encounter them. While they are useful in testing or internal use cases, they’re not suitable for secure public internet communications.
    • Extended validation (EV) CAs. EV certificates require the most stringent verification process. In addition to verifying domain ownership and organizational details, the EV CA verifies the organization's physical and operational existence, the requester’s identity and authority, and the organization’s policy and procedures for requesting an EV certificate. EV certificates have the highest level of trust and are often used by enterprises and financial institutions. While they are the most expensive and time-consuming to obtain, they are valuable for entities that want to establish the highest level of trust with their users.


    Types by Authority

    • Public CAs. Public CAs, also called root CAs, issue digital certificates for public-facing software and servers, which are used for secure communication on the internet. Public CAs are trusted by browser and operating system vendors, and their root certificates are embedded in web browsers and operating systems. They follow stringent protocols and regulations to verify the entity identity, depending on the type of certificate requested.
    • Private/internal CAs. Private or internal CAs are used within an organization to issue certificates for internal use. They are typically not trusted outside the organization.


    Types by Product

    • Government CAs. Government agencies usually establish government CAs to issue certificates for government entities and, in some cases, citizens and businesses within a country. They often adhere to strict identity validation procedures and policies mandated by relevant government regulations. One example is the U.S. Federal Public Key Infrastructure (FPKI).
    • Commercial CAs. Commercial CAs offer certificate services to the public. They provide a variety of certificate types, including DV, OV, and EV certificates, to secure websites, enable secure email communication, authenticate users, and more. Commercial CAs like Sectigo offer robust customer support, various wildcard and multi-domain certificates, and a longer certificate lifespan.
    • Open-source CAs. Open-source CAs provide certificates using open-source software and principles. Often, their basic services are free to use, and their underlying software is open-source, which the public can inspect and contribute to. The most notable example is Let’s Encrypt, a nonprofit CA run by the Internet Security Research Group. However, they only offer DV certificates, which have a lower level of trust and typically have a shorter lifespan.


    Hierarchy CAs

    • Issuing CAs. The authenticity of issuing CAs isn’t directly recognized by an operating system but is instead validated by an intermediate CA. Any certificate provided by issuing CAs is deemed reliable if the intermediate CA can successfully authenticate it.
    • Intermediate CAs. Intermediate CAs sit between the root (or public) CA and the issuing CA in a hierarchical PKI. They are issued a certificate by the root CA, and they can then use that certificate to issue certificates to intermediate CAs or end entities directly.


    Establishing Trust in the Digital World

    Certificate authorities play a fundamental role in establishing the security and integrity of digital communications. They help validate identities, issue digital certificates, and build trust among users and entities. CAs also offer different types of certificates to meet organizational needs and circumstances.

    If you need a robust, proven certificate authority to secure your website, authenticate users, and facilitate secure email communications, Sectigo can help. As one of the world’s largest commercial CA, Sectigo offers a variety of certificate types to fit your needs, backed by comprehensive customer support. 

    Contact Sectigo today and explore our suite of digital certificate solutions.



  • Learn More

    What is a digital certificate?

    Blog Post from Sectigo

    Blog Post Jul 12, 2023

    Learn what a digital certificate is, why it’s important, the different types and their use cases, and more. See which digital certificate is right for your organization.

  • Learn More

    PKI for Enterprise Businesses: The Why and How

    Blog Post from Sectigo

    Blog Post Jul 10, 2023

    Learn what PKI is, its key components, and how it helps enterprise businesses enhance cybersecurity and ensure secure access to data and resources.

  • Learn More

    An Overview of Enterprise Certificate Life Cycle Management

    Blog Post from Sectigo

    Blog Post Jul 07, 2023

    Learn what CLM is, the various stages in the CLM process, the tools and systems for effective CLM, and how to choose the right platform to optimize ROI.

  • Watch Now

    The 90-Day Certificate Validity Panel

    Webinar from Sectigo

    Webinar May 25, 2023

    The 90-Day Certificate Validity Panel

    Join our expert panel discussion for an interactive Q&A session on 90-day TLS validity with Sectigo's subject matter experts.

  • Watch Now

    The New S/MIME Baseline Requirements

    Webinar from Sectigo

    Webinar May 04, 2023

    The New S/MIME Baseline Requirements

    Join our webinar to hear about the CA/B Forum ballot to introduce new baseline requirements for S/MIME, including the twelve different use cases.

  • Learn More

    Q&A on 90 Day Certificates. You asked – Sectigo Responds!

    Blog Post from Sectigo

    Blog Post Apr 17, 2023

    The topic of short-lived 90-day certificates is a major one for the cybersecurity industry.

  • Watch Now

    90 Day Certificate Validity Webinar

    Webinar from Sectigo

    Webinar Mar 30, 2023

    90 Day Certificate Validity Webinar

    Join our webinar to hear about the implications of Google's plans to reduce TLS certificate validity from 398 to a maximum of only 90 days.

  • Watch Now

    Q1 2023 Sectigo Pulse Webinar

    Webinar from Sectigo

    Webinar Mar 07, 2023

    Q1 2023 Sectigo Pulse Webinar

    Join the Q1 2023 Sectigo Pulse Webinar to hear about the latest CA/B Forum meeting updates, the TrustCor deprecation, S/MIME standards and CA agnostic CLM.

  • Watch Now

    Q4 2022 Sectigo Pulse Webinar

    Webinar from Sectigo

    Webinar Nov 10, 2022

    Q4 2022 Sectigo Pulse Webinar

    Join the Q4 2022 Sectigo Pulse Webinar to hear about the OpenSSL vulnerability, Code Signing and S/MIME requirements, and what's next for PQC.

  • Learn More

    What Is Certificate Transparency?

    Blog Post from Sectigo

    Blog Post Feb 10, 2022

    Certificate Transparency (CT) provides a system to monitor and audit all public SSL certificates that are being issued by CAs. A number of different parties, including public CAs, web browser vendors, CT log operators, and others, are involved in ensuring the CT framework functions correctly.

  • Learn More

    How to Mitigate Risk with a Private CA

    Blog Post from Sectigo

    Blog Post Jan 07, 2022

    To the great delight of cybercriminals, many organizations continue to rely upon outdated, weak security protocols such as passwords. However, an increasing number of organizations have progressed to the strongest, most secure, easiest-to-manage identity authentication solution available: digital certificates.