Certificate Authorities & Trust Hierarchies


What are Certificate Authorities & Trust Hierarchies?


Certificate Authorities, or Certificate Authorities / CAs, issue Digital Certificates. Digital Certificates are verifiable small data files that contain identity credentials to help websites, people, and devices represent their authentic online identity (authentic because the CA has verified the identity). CAs play a critical role in how the Internet operates and how transparent, trusted transactions can take place online. CAs issue millions of Digital Certificates each year, and these certificates are used to protect information, encrypt billions of transactions, and enable secure communication.

An SSL Certificate is a popular type of Digital Certificate that binds the ownership details of a web server (and website) to cryptographic keys. These keys are used in the SSL/TLS protocol to activate a secure session between a browser and the web server hosting the SSL Certificate. In order for a browser to trust an SSL Certificate, and establish an SSL/TLS session without security warnings, the SSL Certificate must contain the domain name of website using it, be issued by a trusted CA, and not have expired.

According to analyst site Netcraft (www.netcraft.com), in August 2012 there are almost 2.5m SSL Certificates in use for public facing websites. In reality there are probably as many as 50% more than this number in use that cannot be identified by Netcraft on public facing websites. This makes SSL one of the most prevalent security technologies in use today.

With all these SSL Certificates in use, who decides a CA can be trusted?

Browsers, operating systems, and mobile devices operate authorized CA ‘membership' programs where a CA must meet detailed criteria to be accepted as a member. Once accepted the CA can issue SSL Certificates that are transparently trusted by browsers, and subsequently, people and devices relying on the certificates. There are a relatively small number of authorized CAs, from private companies to governments, and typically the longer the CA has been operational, the more browsers and devices will trust the certificates the CA issues. For certificates to be transparently trusted, they must have significant backward compatibility with older browsers and especially older mobile devices – this is known as ubiquity and is one the most important features a CA can offer its customers.

Prior to issuing a Digital Certificate, the CA will conduct a number of checks into the identity of the applicant. The checks relate to the class and type of certificate being applied for. For example, a domain validated SSL Certificate will have verified the ownership of the domain to be included within the Certificate, whereas an Extended Validation SSL will include additional information on the company, verified by the CA through many company checks.

For more information about different classes of SSL Certificates, please see our related article: The Different Classes of Certificates and Their Use Cases

PKI & Trust Hierarchies

Browsers and devices trust a CA by accepting the Root Certificate into its root store – essentially a database of approved CAs that come pre-installed with the browser or device. Windows operates a root store, as does Apple, Mozilla (for its Firefox browser) and typically each mobile carrier also operates its own root store.

Root Certificates
The Apple OSX store of trusted Root Certificates

CAs use these pre-installed Root Certificates to issue Intermediate Root Certificates and end entity Digital Certificates. The CA receives certificate requests, validates the applications, issues the certificates, and publishes the ongoing validity status of issued certificates so anyone relying on the certificate has a good idea that the certificate is still valid.

CAs usually create a number of Intermediate CA (ICA) Root Certificates to be used to issue end entity certificates, such as SSL Certificates. This is called a trust hierarchy, and will look something like this:

Certificate Authority GlobalSign EV Root



The GlobalSign Extended Validation CA - G2 is shown in this example as the ICA - it’s trust is inherited from the publicly trusted GlobalSign root (top of the hierarchy). This ICA is able to issue publicly trusted end entity certificates, in this example, the ICA issued an Extended Validation Certificate to www.globalsign.com.

CAs should not issue Digital Certificates directly from the root distributed to the carriers, but instead via one or more of their ICAs. This is because a CA should follow best security practices by minimizing the potential exposure of a Root CA to attackers. GlobalSign is one of the few CAs to have always (since 1996) utilized ICAs.

What goes into running a CA?

As a trust anchor for the Internet, CAs have significant responsibility. As such running a CA within the auditable requirements is a complex task. A CA’s infrastructure consists of considerable operational elements, hardware, software, policy frameworks and practice statements, auditing, security infrastructure and personnel. Collectively the elements are referred to as a trusted PKI (Public Key Infrastructure).

CA Structure

Certificates come in many different formats to support not just SSL, but also authenticate people and devices, and add legitimacy to code and documents. Visit the GlobalSign Products section for more information.


SSL Certificate Reviews


GlobalSign product review:
5 / 5
Janice is the best!

Incredibly helpful - going beyond what was expected - thank you

03/23/2017

GlobalSign product review:
5 / 5
Easy to Use

This product is easy to use and comes with simple step-by-step instructions on installation and even the renewal process.

3/21/2017

GlobalSign product review:
5 / 5
Individualized solutions

The attendants are very helpful, the answers are clear and fast. It seems to me that they are always trying to deliver the proper solution for the client.

3/21/2017

GlobalSign product review:
5 / 5
Easy Renewal!

Easy to renew and the payment process was simple as well.

03/20/2017

GlobalSign product review:
5 / 5
Thanks Grace!

Grace Armano did a WONDERFUL job helping me. I had purchased the wrong product initially, and she helped me get the right product. Very nice, too

03/14/2017

GlobalSign product review:
5 / 5
Tech Support Rocks!

Your tech support rocks - I am soooooo very bad at this stuff and they very patiently work through my questions to make it all work. Thank you!

02/28/2017

GlobalSign product review:
5 / 5
Fast Turnaround!

Everything went very smoothly, with fast turnaround and no issues. One email was cought by Microsoft's spam filter but that's just their poor system.

02/28/2017

GlobalSign product review:
5 / 5
Top Tier Support and Service

Excellent Service and Support

02/21/2017

GlobalSign product review:
5 / 5
Great Account Representative

I had a very supportive and prompt relationship manager which made the whole experience pleasing.

02/14/2017

GlobalSign product review:
5 / 5
First Rate Customer Service!

Your customer service is first rate, and you were willing to walk me through some fairly complex things over the phone. You made it clear that if I had any further questions, I only had to ring you back.

02/14/2017

GlobalSign product review:
5 / 5
Easy!

Easy to sign up and execute the certificate process.

02/05/2017

GlobalSign product review:
5 / 5
Thanks Etienne!

I would like to thank Etienne Bertrand for his great professionalism

01/31/2017

GlobalSign product review:
5 / 5
Quick renewals

I appreciate how quick the renewal process is.

01/17/2017

GlobalSign product review:
5 / 5
It's just easy

It's just easy and simple to work with / order from Globalsign.

01/17/2017

GlobalSign product review:
5 / 5
Quick and easy

The process was easy and we had the new cert activated within a few minutes!

01/12/2017

GlobalSign product review:
5 / 5
Keep up the great work!

Very efficient. Great communication emails. Always know the status of my order. Keep up the great work!

01/11/2017

GlobalSign product review:
5 / 5
Good care

Good care and concern for your customers.

01/04/2017

GlobalSign product review:
5 / 5
Super Fast!

Super fast tracking for certificate creation. Very fast obtaining of it. Perfect.

01/04/2017

GlobalSign product review:
5 / 5
Thanks Chris Page!

Chris Page was helpful, friendly, patient and is the reason I would highly recommend your services.

10/18/2016

GlobalSign product review:
5 / 5
FDA Certificates

Of the three options suggested by the FDA, yours was the one that only one providing immediate and clear instructions for what I needed. Also, the help files helped me navigate through the FDA enrollment process.

10/11/2016

GlobalSign product review:
5 / 5
Thanks Alice!

Alix Olcott provided me with outstanding customer support service. I don't recall receiving similar level of support from any other vendor.

10/11/2016

GlobalSign product review:
4 / 5
Very quick response.

The certificate has been renewed within minutes. Helpdesk (Chat) is also responsive. Thanks!

08/16/2016

GlobalSign product review:
4 / 5
Helpful

You guys were very helpful, thanks

08/08/2016

GlobalSign product review:
5 / 5
Really Helpful

You guys are easy to work with and very helpful. I really appreciate that you took the time to explain the differences between a regular and EV certificate so I could make the best decision for our company.

08/02/2016

GlobalSign product review:
4 / 5
Simple!

Simple, quick process for SSL certs

07/27/2016

GlobalSign product review:
5 / 5
Professional and Competent

Both times I have had a need to call for support, GlobalSign has provided such support in a professional and very competent manner. Support like GlobalSign offers is invaluable in my opinion and the main reason I continue to do business and recommend GS to colleagues.

07/26/2016

GlobalSign product review:
5 / 5
Thanks Gaurav

Gaurav from your team was very helpful in getting us onbaord on record time. After getting us onboard, he also made sure that we were able to successfully update our SSL certificate across servers. Am more than happy to recommend anyone. Thanks Gaurav

07/26/2016

GlobalSign product review:
5 / 5
Brilliant

I'd recommend Chris Page- he really is brilliant with me. This area isn't my forte, but he always explains it in simple language and promptly responds to my questions.

07/19/2016

GlobalSign product review:
5 / 5
Very Happy

I am very happy with your quick service and all customer service team doing great job to resolve issue .

07/19/2016

GlobalSign product review:
4 / 5
Good Product

Administration of tokens is great. Do not like the admin certificate process and having to only use IE. Seems like it could be updated to HTML5 protocols and security.

07/19/2016

GlobalSign product review:
5 / 5
Very Helpful

Edmund and especially Sanne (as I mainly dealt with Sanne) were both very helpful and did a great job in helping me to get through the vetting and ultimately obtain the certificate we required.

07/05/2016

GlobalSign product review:
4 / 5
Thanks!

The whole process of security for electronic transmissions has become so complex. It is fortunate that your tech support is available for assistance. Please keep remembering that many of your customers are neophytes and have NO knowledge of programs and the technical steps to enable programs. We need to be led by the hand thru the process.

07/05/2016

GlobalSign product review:
5 / 5
I still find SSL wizardry!

I dont think the instructions for Java keystores are comprehensive enough. it turned out after 2 hours that all i needed to do was change the handle on the pem file to CSR in order to upload into my keystore. I really think step by step instructions on how to generate the certificate, keystore and then install all three certificates in Java would be helpful. The naming conventions just appear all over the shop when it comes to endings, file types etc etc. Anyway got their in the end and its not as hard as it first looks.

06/21/2016

GlobalSign product review:
5 / 5
Going the extra mile

I dealt with Sarah Mizzoni and all I can say is that the service I received from Sarah was second to none. Sarah couldn't have been for informative and helpful and I believe she went the extra mile to help me out.

06/07/2016

GlobalSign product review:
5 / 5
Happy

I was happy with everything. the level of technical support including. thank you from

06/01/2016

GlobalSign product review:
5 / 5
Thank you!

I'm very impressed of professional approach of Ms.Hanna Beeby and will recommend GlobalSign company to my partners.

05/31/2016

GlobalSign product review:
5 / 5
Excellent Work!

We're just in the process of ordering so cannot comment yet on ease of management etc. However, Chris Page of GlobalSign has been more than helpful. Our situation was slightly unusual in that we were taking over a piece of software from another supplier and needed to start signing it with a different cert. Chris made it all simple and is even managing the timing of the switchover for us. Very satisfied at this point.

03/15/2016

GlobalSign product review:
5 / 5
Very Good

quick efficient service

05/31/2016

GlobalSign product review:
5 / 5
Very good

I got a sponsored certificate for my open source project. Everything except a litte bug was perfect but I got very fast support and a developer solved the problem very fast. Very good service!

03/04/2016

GlobalSign product review:
5 / 5
A very fast and helpful solution!

Thanks again for this fast and helpful solution! It's a pleasure to work with GlobalSign and it looks like we made a good choice!

01/14/2016

GlobalSign product review:
5 / 5
Great Support

Great support and secure services!

12/17/2015

GlobalSign product review:
5 / 5
Great Service and Support

I like the ease of use but, most of all, the support service is EXCELLENT!!!!

12/15/2015

GlobalSign product review:
5 / 5
Great Process, Easy Support!

The online process is pretty streamlined, but it's nice to be able to talk to a person when you need to.

11/18/2015

GlobalSign product review:
5 / 5
Full Language Support

Thanks for providing a support in French language

11/17/2015

GlobalSign product review:
4 / 5
Great Technical Support

I had some issues with the registration (as I forgot the pick-up password) and the technical support helped me out very fast and nicely. I appreciate that.

11/12/2015

GlobalSign product review:
5 / 5
Really Appreciated the Support

Daniel Genadiev went above and beyond to help us with our request. We will use SSL24 again because of this.

11/12/2015

GlobalSign product review:
5 / 5
Great Service!

The customer services staff, and vetting team in particular, were incredibly helpful and went well beyond normal expectations by getting the renewal issued as quickly as they did.

11/11/2015

GlobalSign product review:
5 / 5
Very User Friendly

Very user friendly. And the one question I did have, there was a very nice person on the chat feature that was extremely helpful

11/11/2015

GlobalSign product review:
5 / 5
Excellent Service

It's not often that I'm positively taken aback by Service and Support, but in the case of a wildcard SSL certificate through GlobalSign, I was. Maya was extremely polite, friendly, efficient and went the extra mile to advise, assist in the purchase, sort out some minor issues and provide implementation feedback. Maya facilitated the vetting and setup process with Sarah, and despite heavy timezone differences were extremely helpful in getting us sorted out. Excellent, Professional and Fast! Service at it's Best.

11/05/2015

GlobalSign product review:
5 / 5
I trust GlobalSign

Whenever I need to get a new SSL certificate, renew a certificate, or make a change to an existing certificate, the process is always easy to understand and fast to turn around.

10/14/2015

GlobalSign product review:
5 / 5
Very Thorough and Helpful Team

I contacted Cosmo Pallazola for assistance. He was very thorough and helpful

10/27/2015

GlobalSign product review:
5 / 5
Great Support Team

I have had a few issues along the way but was able to work them out with the help of your support team. They were very patient and knowledgeable.

10/27/2015

GlobalSign product review:
5 / 5
Outstanding Customer Service

Customer service was outstanding and immediately worked with me to resolve an issue I was having.

10/27/2015

GlobalSign product review:
5 / 5
Thank You

Thank you for having a procedure on file to take care of customers who don't yet support SHA256.

10/27/2015

GlobalSign product review:
5 / 5
Over the Top Service and Support

Service and support was over the top fantastic. We needed expedited shipping and vetting through delays on our end and the support team made it happen.

10/20/2015

GlobalSign product review:
4 / 5
Installation Process Complicated

The installation procedure is far more complicated than it should be. This is the entire reason for the 4 rating instead of the 5 rating.

10/20/2015

GlobalSign product review:
5 / 5
Professional Help

I always got a professional helpful answer from you, I am really appreciate it.

10/13/2015

GlobalSign product review:
4 / 5
Some Minor Issues

I have had a few issues along the way but was able to work them out with the help of your support team. They were very patient and knowledgeable.

10/27/2015

GlobalSign product review:
5 / 5
Kind and fast help

We had some problems which were very quickly solved by a very helpful and patient person on the phone who guided us step by step through the solution. After sending an email with some questions, I got called back almost immediately. Thumbs up!

10/27/2015

GlobalSign product review:
5 / 5
Long Time Customer

I knew Globalsign between 2000-2005 (don't recall excactly) and used your services since then.

10/28/2015

GlobalSign product review:
5 / 5
Very Satisfied

GlobalSign is always there for us, very satisfied.

10/20/2015

GlobalSign product review:
5 / 5
Everything Went Great

Experience was courteous, clean and I remained well informed during the vetting process, all good

10/20/2015

GlobalSign product review:
5 / 5
First Time SSL User

Easy to use and instructions were easy to follow especially for someone like me who was setting up SSL for the first time.

10/13/2015

GlobalSign product review:
5 / 5
Good Support

Everything is good specially the support very good unlikely to see some where else.

10/13/2015

GlobalSign product review:
5 / 5
Very Happy Customer

I am very happy with the level of service I get from Globalsign

10/13/2015

GlobalSign product review:
4 / 5
Quite fast

The response is quite fast and the support is good.

10/13/2015

GlobalSign product review:
5 / 5
Thanks for Your Support

Many kind of papers but I understand that this is the part of the process, so everything is ok with me. Thanks for your support.

10/13/2015

GlobalSign product review:
5 / 5
Nothing Better

In my experience the service I received was flawless so I am struggling to think how the service can be improved!

10/13/2015

GlobalSign product review:
5 / 5
Very Helpful

Hi, it was very helpful to have a knowlegable live chat person help with my question. Your online resources we spot on and also very very helpful.

08/08/2015

GlobalSign product review:
5 / 5
Quick Response

I received a very quick response to my inquiry, which was forwarded to a team to resolve. The person who contacted me was really helpful and ensured I had everything I needed. I couldn't have asked for better service from everyone I dealt with in Globalsign.

09/22/2015

GlobalSign product review:
3 / 5
Good Experience

Good experience. Had to Chat with technician to understand the procedure for installing the Certificate onto a Cisco ASA Firewall and the need to install the Root, Intermediate and Domain Cert. he was very helpful.

09/29/2015

GlobalSign product review:
5 / 5
Customer Service

Your customer service is outstanding. I really appreciate Alex Walnick.

07/14/2015

GlobalSign product review:
5 / 5
Great Customer Service

Greg went above and beyond for support expectations by understanding the issue and handling it with efficiency.

07/10/2015

GlobalSign product review:
5 / 5
Great User Interface

My experience with GlobalSign was great. The user interface is very easy to use and the directions are easy to follow. Additionally, if I had any questions, there is plenty of support and FAQs available at any given time.

07/14/2015

GlobalSign product review:
5 / 5
Fast and Easy

We've just renewed our SSL certificate from @GlobalSign SSL in less than 10 minutes \o/. Thank you to @GlobalSign SSL for another free SSL certificate. Supporting ‪#‎opensource software.

11/30/2015

More Reviews Add a Review