A Certificate Authority (CA) is an entity that issues, distributes, and in case of compromises, revokes digital certificates.
CAs are entrusted to make online interactions more secure, prevent identity theft, and make users more trustful of the organizations they deal with online.
If you are currently considering reaching out to a Certificate Authority to obtain one or more digital certificates, you need to make sure that you (and your customers) can actually trust this organisation.
According to W3techs, 96.3% of digital certificates are issued by just 9 public Certificate Authorities. So imagine a prospect visiting your website, only to find out that you are partnering with a CA that no one has heard of. They will likely be sceptical about doing business with you. . So imagine a prospect visiting your website, only to find out that you are partnering with a CA that no one has heard of. They will likely be sceptical about doing business with you.
In other words, one poor decision can lead to severe consequences for your organisation, including loss of client trust, and reputational damage.
This guide aims to help you make a more informed decision when picking a Certificate Authority to work with.
The Critical Role of a Certificate Authority
The primary role of a Certificate Authority is to issue digital certificates to ensure and maintain data security. These certificates establish trust in various internet communications between users and businesses. These certificates are now so important that 95% of all traffic across the Google Search Engine is encrypted using a digital certificate.
They’re also vital for identity authentication. Think about it: on the internet, virtually anyone can claim to be whoever they want. If you have a website, there is nothing that can stop a malicious user from creating another website that claims to be you with a slightly different domain.
Without authentication, customers and clients cannot trust your website. The same goes for other communications like emails.
When someone visits your website, the browser validates your digital certificate. And once a secure, encrypted connection is established, your prospect can browse your website without worrying about security.
Further, encrypting the communication channel ensures that no malicious parties can intercept that communication and compromise your data. This type of attack is known as “Man in the Middle” (MITM) attack.
Certificate Authorities are also responsible for maintaining revocation lists of compromised certificates that cannot be trusted.
The 5 Must-Ask Questions
When you approach a Certificate Authority, it’s essential that they can answer the following key questions:
Question 1: What types of certificates do you offer?
Before partnering with a CA, it’s essential that you know the range of certificates it offers depending on your business requirements.
It is worth noting that there are two general types of certificates: root certificates and intermediate certificates. A root certificate is issued by a Certificate Authority for authentication purposes. When we talk about establishing online trust, root certificates are the primary target here.
An intermediate certificate, on the other hand, is cross-signed by the Certificate Authority and the end user. It acts as a verification device that communicates the root certificate's credibility with the browser.
A CA may offer some or all of the following types of certificates:
SSL/TLS certificates enable a secure connection between a user’s browser and your servers. The connection is encrypted, which prevents the user’s browser from giving the user security warnings like “your connection is not private”.
With an SSL certificate, you can make sure that once a user lands on your website, they will not make a U-turn because of a security warning.
Code Signing Certificates
Code signing certificates are used to sign development codes to ensure that they do not contain malware or any other security risks.
Developers and publishers use these certificates to assure users of the code’s integrity. In other words, without a code signing certificate, a user may be sceptical that the code has been tampered with.
Code signing certificates are also used for authentication purposes. By signing your code, you can prove that you wrote the code and that it’s in the status that you intended to be in.
With non-signed software, the operating system will warn the user that it’s from an unknown publisher, which may make them reluctant to install it on their computer. Application Stores and other distribution platforms will not permit software to be listed in their catalogues without a signed certificate.
Email Signing Certificates
Email signing certificates authenticate users to email servers. They are very similar to SSL certificates, but instead of encrypting the connection between the browser and the server, it encrypts the connection between the email client and the server.
When a user receives a signed email, they will see a “signed by” footer under the email’s subject. They may also see a ribbon at the right that, once clicked, will present additional information about the sender’s authenticity.
Question 2: What is your validation process?
As a channel partner, your prospects are primarily concerned with two things: the security of their sensitive data, and the trustworthiness of your organisation. Thus, it’s important that you obtain your certificates from a reputable CA that has strict verification procedures for different individuals and organisations. You should also check the CA’s history and whether their verification process was ever breached or compromised.
And while some organisations may view the verification process as an annoying procedure, it displays the CA’s commitment to verifying entities before giving them certificates. In other words, it is the CA’s way of telling you that they actually put in the necessary work before trusting the requestor with a digital certificate.
Typically, the validation process starts from your side. Once you contact a CA, they will run a verification check. The exact verification process varies depending on the type of certificate you wish to obtain:
Domain Validation: With domain validation, the CA verifies that the individual requesting the certificate is the owner or authorized user of the domain. It’s considered the simplest validation process.
Organisation Validation: In an organisation validation process, the CA verifies that the organization is legitimate. The requestor is asked to submit relevant business information about the organisation’s registration and activities. The CA scans these documents and confirms the information in them from other third parties.
Extended Validation: Extended validation is the longest and most extensive validation process a CA can initiate. It roughly takes anywhere from two to five days depending on the size of the requestor’s organisation. It is basically considered a more rigorous form of organisation validation. A CA may decide to go through an extended validation depending on your organisation’s size and industry.
Question 3: How do you handle certificate revocation?
A robust revocation process is crucial for maintaining security. Hence, it’s vital that you discuss the revocation mechanisms and speed of revocation with the CA.
In the event of an issue, the CA’s revocation response should be fast and reliable. The certificate may get compromised for multiple reasons – one common scenario is when the certificate’s private key is lost.
The best practice for the CA is to maintain a certificate revocation list, which is essentially a blacklist of untrusted certificates that were compromised for some reason.
When a client approaches a CA, they may request access to its certificate revocation list. They are also used by web servers in OCSP stapling, which is a real-time check of a certificate’s status.
On a side note, keep in mind that a revocation list is not always a real test of a CA’s transparency. When a CA grants a digital certificate, it is essential that they add a new entry to its public certification log. In case the CA revokes any of these certificates, they are added to the certificate revocation list.
Question 4: What kind of customer support do you offer?
Reliable customer support should be one of the key factors that shape your decision when choosing a CA to partner with.
Ideally, the Certificate Authority's support team should be available round the clock to handle any queries or technical issues you may encounter.
It’s also vital to assess their team’s technical expertise; are they able to assist clients with complex technical issues? Or is their knowledge limited to basic queries related to billing, accounts, etc.?
Moreover, it is vital to learn what channels the CA uses to accept queries. Some CAs only offer email support, while others go one step further with live chat support. Some CAs even add the good old phone support, which many clients appreciate as it is a more personal interaction.
Finally, check how easy it is to reach a live agent on the CA’s website. While self-service options like AI chatbots and knowledge bases are definitely fine for simple queries, they should not make it too hard for the client to talk to a live agent, especially when it is an urgent problem.
Question 5: What compliance standards do you meet?
Partnering with a compliant Certificate Authority is essential for you to establish a robust chain of trust. As an independent organisation, it is not enough for you to comply with regulatory and compliance standards; your partners must be compliant too.
This helps you avoid hefty fines and penalties associated with compliance violations. It is also important to maintain a positive brand reputation and build customer trust.
Users trust compliant CAs as it shows their commitment to maintaining data security. So, before partnering with a CA, check if they meet the compliance requirements of the most important compliance standards, such as GDPR, HIPAA, and PCI-DSS.
As a channel partner, there is a good chance that you regularly work with sensitive customer data, so partnering with a CA that complies with these standards is not optional.
For CAs, meeting compliance requirements can help them attract more reputable businesses that seek to protect their online communications and transactions.
Moreover, maintaining compliance with important standards helps your organisation mitigate risk and reduce the likelihood of data breaches.
GDPR (General Data Protection Regulation)
Complying with the GDPR Compliance Standard is important for CAs operating in the European Union. Since the GDPR regulations cover key points related to personal data security and privacy, CAs must make sure that their data handling and retention practices meet GDPR requirements.
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA regulations are drafted to maintain the security of personal healthcare information such as health records.
For businesses operating in the healthcare industry, using digital certificates to secure online communications is important to protect healthcare information.
Therefore, choosing a Certificate Authority that complies with HIPAA best practices is vital to create a chain of trust.
PCI DSS (Payment Card Industry Data Security Standard)
PCI DSS regulations aim to protect cardholders' data to prevent fraudulent activities. Complying with PCI DSS standards is essential for e-commerce businesses and any organisation that accepts payments through secured payment processing systems.
A secure digital certificate issued by a PCI DSS compliant Certificate Authority encrypts cardholders' data and prevents malicious threats from stealing it.
Can your CA answer the 5 questions?
As a globally trusted public CA, GlobalSign empowers channel partners to gain their clients’ trust and secure their online communications with credible end entity certificates.
Reach out to us now at firstname.lastname@example.org to explore how we can protect your business identity and boost your trustworthiness on the web.