Think of all the steps you went through to get your first passport—requesting a certified copy of your birth certificate from the vital records office, remembering not to smile for your 2x2 photo, signing your application while an authorized passport acceptance agent looked on.
Now imagine how much less powerful your country’s passports would be if all it took to get one was mailing a check.
In the digital world, a certificate is kind of like a passport. It verifies the identity of a website, organization, or individual, helping people move about safely online.
And like a passport, a digital certificate is only as trustworthy as the authority that issues it.
When a certificate authority (CA) signs a digital certificate, that signature serves as an attestation that the CA has verified the identity and public key of the certificate holder. But in order for that signature to mean anything, the CA has to first gain public trust.
Becoming a publicly trusted CA isn’t easy. The organization must:
Only a handful of organizations earn the title of CA. But each plays a vital role in maintaining digital trust for the entire connected world.
The most common type of digital certificate is a TLS/SSL certificate, which secures communications between a web server and a user’s browser. Browsers rely on CAs to vouch for the legitimacy of websites, creating the trust required to secure online interactions.
When a user visits a website, their browser checks the site’s TLS certificate against a list of trusted CAs. Browser vendors like Google, Mozilla, and Microsoft maintain their own lists of CAs that have met the criteria put in place by organizations like the Certificate Authority/Browser (CA/B) Forum.
If the certificate is valid and signed by a trusted CA, the browser establishes a secure connection, indicated by the padlock icon in the address bar. But here’s what your users might see if your website doesn’t have a TLS certificate issued by a trusted CA:
These warnings aren’t just a nuisance; they’re the browser’s attempt to protect against security risks like man-in-the-middle attacks, phishing, and malware distribution. Without a trusted certificate, your organization risks losing customers—or worse, leaving the data exchanged between your website and browsers open to attack.
Being added to a browser’s trusted list doesn’t mean a CA will stay there forever. Quite the opposite—maintaining trust requires continuously meeting rigorous security standards.
A browser can remove a CA from its list for several reasons, including security breaches, certificate mis-issuance, the issuance of fraudulent certificates, or failure to comply with industry standards. And when a CA is distrusted, its certificates are distrusted too.
For businesses, continuing to use certificates issued by a distrusted CA can lead to the loss of customer trust, reduced website traffic, and financial fallout. For users, it increases the risk of falling victim to phishing attacks and other online threats.
The risks and consequences of CA distrust are something every organization should know about. But you can protect your company and your customers by partnering with a CA with a proven commitment to compliance and digital trust.
We mentioned certificate mis-issuance as one of the reasons a CA could become distrusted by browsers. But distrust due to mis-issuance requires a greater failure on the part of the CA.
In early 2024, Entrust failed to revoke more than 26,000 mis-issued EV certificates within the CA/B Forum’s Baseline Requirements revocation timeline. By late June, Google’s Chrome Security Team cited “a pattern of concerning behaviors by Entrust” in its announcement that Chrome would no longer trust Entrust-issued TLS certificates after October 31, 2024.
Mis-issuance can happen for a number of reasons, like bugs in code or human error. And it can happen to any CA. It's not mis-issuance alone but the CA’s response to it that determines its continued status as a trusted CA.
It’s worth saying again: The best way to prevent your certificates from becoming distrusted is to work with a trusted CA with a solid compliance track record. At DigiCert, we not only view compliance as the metric for measuring and testing trust—we’re also a co-founding CA member of the CA/B Forum, continuously contributing to the organization’s efforts to make the internet safer and more secure for our customers and their users.
We’re also committed to empowering customers to take more control over their certificates, offering comprehensive solutions like DigiCert Trust Lifecycle Manager, which offers:
Automating your certificate lifecycle management (CLM) is one of the best ways to keep issues like mis-issued or expired certificates from causing outages. And by pairing a CLM solution like DigiCert Trust Manager with digital certificates from a trusted CA like DigiCert, you can ensure that certificate distrust is one problem your organization will never have to face.
Want to learn more about topics like the CA/B Forum, compliance, and certificate lifecycle management? Subscribe to the DigiCert blog to ensure you never miss a story.