Learn · Foundations

What is a Certificate Authority?

By Updated

A Certificate Authority (CA) is a trusted organization that issues digital certificates — vouching that a public key really belongs to the website or service presenting it. CAs are the anchor of trust behind every padlock in your browser.

Try a free domain scan See the trust chain
6 min readFoundations
Chain of trust
Root CAself-signed · offline
Intermediate CAissues end certs
Leaf certificateyour domain
Definition

A Certificate Authority is a trusted third party that verifies identity and issues digital certificates binding a public key to a domain, organization, or device — so clients can establish encrypted, authenticated connections.

How a CA works

Validate, sign,
trust, revoke.

1
Validate

The CA confirms you control the domain or identity being certified.

2
Sign

It signs a certificate with its private key, vouching for your public key.

3
Trust

Browsers and OSes trust the CA’s root, so they trust your certificate.

4
Revoke

If a cert is compromised, the CA can revoke it via CRL or OCSP.

The pieces

Roots, intermediates,
public and private.

Trust flows downward through a chain. Understanding the layers explains how a single padlock connects back to a root nobody ever touches.

Root CA

A self-signed certificate kept offline in a highly secured environment. Its trust is built into browsers and operating systems.

Intermediate CA

Signed by the root and used to issue day-to-day certificates, so the root key stays offline and protected.

Public CA

Trusted by default in browsers (DigiCert, Let’s Encrypt, Sectigo). Used for public-facing websites and services.

Private CA

Run inside an organization for internal services and devices. Trusted only within that environment.

Modern challenges

One CA was simple.
Many CAs is the problem.

Sprawl across many CAs

Most orgs use several CAs and lose track of what’s issued where.

Shorter lifetimes

47-day validity means far more issuance and renewal from every CA.

Revocation is hard

Knowing which certs to revoke — and confirming it — is non-trivial.

Mis-issuance risk

Rogue or mis-issued certificates are a real security threat.

Private PKI blind spots

Internal CAs like ADCS are often the least visible of all.

Multi-cloud issuance

Cloud providers each issue certs in their own silo.

FAQ

Certificate authorities,
answered.

A CA verifies the identity of the entity requesting a certificate, then issues a digitally signed certificate that binds a public key to that identity. Clients trust the certificate because they trust the CA that signed it.
A root CA is a self-signed certificate that browsers and operating systems trust inherently; its private key is kept offline for safety. An intermediate CA is signed by the root and does the actual day-to-day issuing, so the root never has to be exposed.
It’s the path from a leaf certificate (your domain) up through one or more intermediate CAs to a trusted root. A client validates each signature in the chain to confirm the leaf certificate is trustworthy.
A public CA (like DigiCert or Let’s Encrypt) is trusted by default in browsers and used for public websites. A private CA is run internally by an organization and trusted only within that environment — used for internal services, devices, and mTLS.
If a certificate is compromised or mis-issued, the CA revokes it and publishes that status via a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP), so clients can refuse it.
Different use cases call for different CAs — public CAs for external sites, private CAs for internal systems, cloud-provider CAs for cloud workloads. The result is certificate sprawl across many issuers.
MachineCert isn’t a CA — it’s the management layer across all of them. It discovers, inventories, monitors, and automates renewal for certificates regardless of which CA issued them, public or private.
Mis-issuance is when a certificate is issued incorrectly or for a domain the requester doesn’t control — sometimes a sign of compromise. Monitoring Certificate Transparency logs helps detect it.
Keep learning

Related topics

TLS certificatesHow certificates secure the internet.PKI managementManaging trust at enterprise scale.Private CAWhy enterprises build internal trust.Certificate lifecycle managementThe lifecycle, explained.Certificate discoveryFind every cert from every CA.MethodologyOur approach to machine trust.
See it in practice

See which CAs issued your certificates.

Run a free domain scan to discover every certificate across every CA — public and private — in one inventory.

Book a demo