What Is a Certificate Authority and Why Should You Trust It?

Every SSL certificate you've ever seen was issued by a Certificate Authority — but most business owners have never heard of one. Understanding what a CA is, which ones to trust, and when to pay for a certificate versus use a free one can save you money and protect you from a class of attack most people don't think about.

What Is a Certificate Authority?

A Certificate Authority (CA) is an organisation that issues digital certificates. Their job is to verify that you are who you claim to be, then issue a certificate that proves it to everyone else.

Think of it like a passport office. Your government issues your passport after verifying your identity. When you show your passport at border control, they trust it not because they know you personally, but because they trust the government that issued it.

Web browsers work the same way. They ship with a pre-installed list of trusted Certificate Authorities — around 150 organisations worldwide. When your website presents an SSL certificate, the browser checks whether it was signed by one of those trusted CAs. If it was, the padlock appears. If it wasn't, you get a warning.

The Chain of Trust

SSL certificates exist in a hierarchy:

Root CA → Intermediate CA → End-entity certificate (your website's certificate)

Root CAs are the most trusted — they're baked into browsers and operating systems. But root CAs rarely issue certificates directly. Instead, they create Intermediate CAs, which then issue the certificates you put on your website.

When your browser validates your certificate, it traces this chain back to a root CA it trusts. If the chain is broken at any point — an expired intermediate certificate, a misconfigured server — the browser rejects the connection even if your end-entity certificate is valid.

This is why SSL errors sometimes aren't about your certificate at all. A misconfigured chain is a common cause of HTTPS errors that look like expiry problems.

Let's Encrypt vs Paid Certificate Authorities

Let's Encrypt changed the industry when it launched in 2015 (public beta) and reached general availability in 2016. It's a free, automated, open CA run by the Internet Security Research Group (ISRG), a non-profit. Their certificates are trusted by all major browsers.

For most Australian businesses, Let's Encrypt is the correct choice:

• Free (certificates cost $0)
• 90-day certificates auto-renewed by your hosting provider or Certbot
• Trusted by all modern browsers
• Industry-standard DV (Domain Validation) certificates

When do you need a paid CA?

For domain-validated (DV) certificates — which is what most businesses need — you don't. The security is identical to paid options.

Paid CAs add value in two scenarios:

Organisation Validation (OV) certificates verify your business entity. Certificate details show your company name, providing additional trust signals. Costs $50–200/year. Useful for established businesses where brand trust matters.

Extended Validation (EV) certificates require strict verification of your legal identity. Previously showed a green address bar in browsers — that feature was removed in 2019 by Chrome and Firefox. Today, EV certificates provide a detailed audit trail but no visible browser difference. Costs $200–500/year. Mainly used by banks and government agencies for compliance reasons.

Which CAs Should Australian Businesses Trust?

All CAs in the browser trust store are technically trustworthy for issuing DV certificates. In practice, the most commonly used by Australian businesses are:

• Let's Encrypt — free, widely used, automated renewal
• Sectigo (formerly Comodo) — largest commercial CA, common with AU hosting providers
• DigiCert — premium commercial CA, strong enterprise reputation
• GlobalSign — common in enterprise and financial services
• GoDaddy — issues certificates alongside domain registration

For most small and medium businesses, Let's Encrypt through your hosting provider is the right choice. If your business requires OV or EV certificates for regulatory or insurance reasons, Sectigo and DigiCert are both reputable options with Australian resellers.

CA Compromises: The Risk You're Not Thinking About

In rare but significant incidents, CAs themselves have been compromised. In 2011, DigiNotar — a Dutch CA — was hacked and issued fraudulent certificates for Google.com, Yahoo, and others. All major browsers immediately removed DigiNotar from their trust stores. The company ceased operations within months.

The lesson: if your CA is distrusted by browsers, your website stops working for everyone — even if your certificate is perfectly valid.

This has happened to several CAs over the years, including Symantec (distrusted by Chrome in 2018 after a series of misissued certificates).

What you can do: Stick to well-established, audited CAs. Avoid newer, lesser-known certificate issuers.

Certificate Transparency Logs

Since 2018, all publicly trusted CAs must log every certificate they issue to Certificate Transparency (CT) logs — public, append-only records of all issued certificates.

This serves two purposes:

1. Lets domain owners see every certificate issued for their domain
2. Makes it detectable when a CA issues a certificate fraudulently

You can search CT logs for your domain at crt.sh — you'll see every certificate ever issued for your domain, who issued it, and when. If you see a certificate you didn't issue, that's a serious security concern.

What This Means for Your SSL Monitoring

Certificate Authority issues are one reason why monitoring your SSL certificate's status — not just its expiry date — matters. A certificate that's technically valid can still cause browser errors if:

• The intermediate certificate chain is missing from your server configuration
• Your CA issued the certificate incorrectly (leading to revocation)
• Your CA itself loses browser trust

CertGuard monitors your live certificate status on a schedule, checking not just the expiry date but whether the certificate is actually trusted and valid as browsers see it.

Free monitoring for up to 3 domains — no credit card required.