Think of all the steps you went through to get your first passport—requesting a certified copy of your birth certificate from the vital records office, remembering not to smile for your 2x2 photo, signing your application while an authorized passport acceptance agent looked on.

Now imagine how much less powerful your country’s passports would be if all it took to get one was mailing a check.

In the digital world, a certificate is kind of like a passport. It verifies the identity of a website, organization, or individual, helping people move about safely online. 

And like a passport, a digital certificate is only as trustworthy as the authority that issues it. 

What makes a certificate authority trustworthy?

When a certificate authority (CA) signs a digital certificate, that signature serves as an attestation that the CA has verified the identity and public key of the certificate holder. But in order for that signature to mean anything, the CA has to first gain public trust.

Becoming a publicly trusted CA isn’t easy. The organization must:

• Establish a robust, secure infrastructure capable of handling certificate issuance, validation, and revocation.
• Adhere to strict technical standards for digital certificates to ensure interoperability and compatibility.
• Apply for inclusion in the root programs of major browsers and operating systems, meeting stringent security, operational, and legal compliance criteria.
• Pass regular audits to verify that the CA continues to meet the required standards.
• Build trust with users and businesses by demonstrating transparency, an ongoing commitment to security and reliability, and a prompt response to security issues.

Only a handful of organizations earn the title of CA. But each plays a vital role in maintaining digital trust for the entire connected world.

The basics of browser trust—and distrust

The most common type of digital certificate is a TLS/SSL certificate, which secures communications between a web server and a user’s browser. Browsers rely on CAs to vouch for the legitimacy of websites, creating the trust required to secure online interactions.

When a user visits a website, their browser checks the site’s TLS certificate against a list of trusted CAs. Browser vendors like Google, Mozilla, and Microsoft maintain their own lists of CAs that have met the criteria put in place by organizations like the Certificate Authority/Browser (CA/B) Forum.

If the certificate is valid and signed by a trusted CA, the browser establishes a secure connection, indicated by the padlock icon in the address bar. But here’s what your users might see if your website doesn’t have a TLS certificate issued by a trusted CA:

• If the site has a TLS certificate that’s self-signed or issued by a CA the browser doesn’t trust, users will see a message warning them the connection isn’t private or secure.
• If the site has no TLS certificate, the browser may block access to the website and put a “Not Secure” warning in the address bar.
• If the site’s TLS certificate has expired, users will see a warning like “Your connection is not private” or “This site’s certificate has expired.”

These warnings aren’t just a nuisance; they’re the browser’s attempt to protect against security risks like man-in-the-middle attacks, phishing, and malware distribution. Without a trusted certificate, your organization risks losing customers—or worse, leaving the data exchanged between your website and browsers open to attack.

The consequences of distrust

Being added to a browser’s trusted list doesn’t mean a CA will stay there forever. Quite the opposite—maintaining trust requires continuously meeting rigorous security standards. 

A browser can remove a CA from its list for several reasons, including security breaches, certificate mis-issuance, the issuance of fraudulent certificates, or failure to comply with industry standards. And when a CA is distrusted, its certificates are distrusted too. 

For businesses, continuing to use certificates issued by a distrusted CA can lead to the loss of customer trust, reduced website traffic, and financial fallout. For users, it increases the risk of falling victim to phishing attacks and other online threats.

The risks and consequences of CA distrust are something every organization should know about. But you can protect your company and your customers by partnering with a CA with a proven commitment to compliance and digital trust.

How certificate mis-issuance leads to distrust

We mentioned certificate mis-issuance as one of the reasons a CA could become distrusted by browsers. But distrust due to mis-issuance requires a greater failure on the part of the CA.

In early 2024, Entrust failed to revoke more than 26,000 mis-issued EV certificates within the  CA/B Forum’s Baseline Requirements revocation timeline. By late June, Google’s Chrome Security Team cited “a pattern of concerning behaviors by Entrust” in its announcement that Chrome would no longer trust Entrust-issued TLS certificates after October 31, 2024. 

Mis-issuance can happen for a number of reasons, like bugs in code or human error. And it can happen to any CA. It's not mis-issuance alone but the CA’s response to it that determines its continued status as a trusted CA.

How to protect your organization from CA distrust

It’s worth saying again: The best way to prevent your certificates from becoming distrusted is to work with a trusted CA with a solid compliance track record. At DigiCert, we not only view compliance as the metric for measuring and testing trust—we’re also a co-founding CA member of the CA/B Forum, continuously contributing to the organization’s efforts to make the internet safer and more secure for our customers and their users.

We’re also committed to empowering customers to take more control over their certificates, offering comprehensive solutions like DigiCert Trust Lifecycle Manager, which offers:

• PKI certificate discovery
• A full repository of all public and private certificates
• Fine-grained visibility and operational control
• Notifications to stay ahead of certificate expiration
• Vulnerability remediation
• Governance across CAs and interoperability with business systems

Automating your certificate lifecycle management (CLM) is one of the best ways to keep issues like mis-issued or expired certificates from causing outages. And by pairing a CLM solution like DigiCert Trust Manager with digital certificates from a trusted CA like DigiCert, you can ensure that certificate distrust is one problem your organization will never have to face.

The latest developments in digital trust

Want to learn more about topics like the CA/B Forum, compliance, and certificate lifecycle management? Subscribe to the DigiCert blog to ensure you never miss a story.