Skip to main content
banner image
venafi logo

The Real Value of Certificate Authorities: Do Free Certificates Come at a Price?

The Real Value of Certificate Authorities: Do Free Certificates Come at a Price?

what is a ca
February 20, 2018 | David Bisson

A certificate authority (CA) is an entity that issues the digital certificates that enable encryption. CAs are responsible for adding all of the certificate attributes that ultimately determine a certificate’s trustworthiness. This is important because, these files help people, organizations, and machines exchange information securely online using the public key infrastructure (PKI). Digital certificates are also known as "public key certificates."

By issuing files like SSL/TLS certificates, CAs play a crucial role in keeping the web safe. As such, the most trusted CAs adhere to several best practices. First, they uphold ubiquity, a principle explained by GlobalSign by which certificates that are to be transparently trusted demonstrate backward compatibility with older browsers and mobile devices. Second, they conduct a number of checks into the identity of an applicant, which include verifying the ownership of a domain, before issuing a digital certificate.

Cybercriminals are finding TLC certificates on the Dark Web. Find out more.


According to the Online Trust Alliance (PDF), they also store cryptographic keys on secure hardware, demonstrate compliance with regulations and policies, and look to improve certificate revocation technology. In exchange, applicants agree to abide by a CA's rules and pay the initial purchase cost and all subsequent renewal fees for a certificate.

But not all certificates come at a price. Today, services like Lets Encrypt and others offer digital certificates for free. Doing so in part helps ease the Internet's transition from SSL to TLS and broadens the base of websites offering encrypted sessions, thereby making the web a safer place.

Some see problems with this effort. As InfoWorld's Fahmida Y. Rashid explains:

"More certificates in circulation means cyber criminals will issue more counterfeit versions, making it difficult to know which ones to trust…. Free and self-signed certificates are also problematic because anyone with a domain can get them. ISRG [Internet Security Research Group] has said in the past that people won’t even need to create an account to get a certificate."

For these reasons and others, Rashid urges organizations to not exchange paid certificates with free files. Some in the field might consider the absence of a price tag identified by Rashid to be too tempting for companies. Others wholeheartedly disagree.

One of those observers is a user named topnomi, who noted that free and paid digital certificates today fulfill two very different purposes:

"[A free certificate] doesn't replace the expensive certificates, it's an alternative when you're just shooting for encryption. There is very little verification of who you are. This will help create a more secure internet, but does not verify that the server you're connecting to is necessarily the bank you intended to contact. The Expensive certificates provide verification that the server is who it says it is. In order to get one you have to verify lots of things, and the high cost is part of the verification. That's why there are different levels of certificates, depending on how important it is to verify the servers identity.

"In a way, creating a free certificate, with little verification, they have created a market for higher level certificates, in order to differentiate oneself from the free ones."

Today, organizations can pursue free and/or expensive certificates issued by a CA. Regardless of their choice, the availability of both options increases the difficulty of companies keeping track and securing all their certificates. They should therefore consider investing in a solution that helps automate this process for them.


Learn more about machine identity management. Explore now.

Related blogs

Like this blog? We think you will love this.
TCP fast open and TLS handshake
Featured Blog

Does TCP Fast Open Improve TLS handshakes?

What is TCP Fast Open?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more