A certificate authority (CA) is an entity that issues the digital certificates that enable encryption. CAs are responsible for adding all of the certificate attributes that ultimately determine a certificate’s trustworthiness. This is important because, these files help people, organizations, and machines exchange information securely online using the public key infrastructure (PKI). Digital certificates are also known as "public key certificates."
By issuing files like SSL/TLS certificates, CAs play a crucial role in keeping the web safe. As such, the most trusted CAs adhere to several best practices. First, they uphold ubiquity, a principle explained by GlobalSign by which certificates that are to be transparently trusted demonstrate backward compatibility with older browsers and mobile devices. Second, they conduct a number of checks into the identity of an applicant, which include verifying the ownership of a domain, before issuing a digital certificate.
According to the Online Trust Alliance (PDF), they also store cryptographic keys on secure hardware, demonstrate compliance with regulations and policies, and look to improve certificate revocation technology. In exchange, applicants agree to abide by a CA's rules and pay the initial purchase cost and all subsequent renewal fees for a certificate.
But not all certificates come at a price. Today, services like Lets Encrypt and others offer digital certificates for free. Doing so in part helps ease the Internet's transition from SSL to TLS and broadens the base of websites offering encrypted sessions, thereby making the web a safer place.
Some see problems with this effort. As InfoWorld's Fahmida Y. Rashid explains:
"More certificates in circulation means cyber criminals will issue more counterfeit versions, making it difficult to know which ones to trust…. Free and self-signed certificates are also problematic because anyone with a domain can get them. ISRG [Internet Security Research Group] has said in the past that people won’t even need to create an account to get a certificate."
For these reasons and others, Rashid urges organizations to not exchange paid certificates with free files. Some in the field might consider the absence of a price tag identified by Rashid to be too tempting for companies. Others wholeheartedly disagree.
One of those observers is a user named topnomi, who noted that free and paid digital certificates today fulfill two very different purposes:
"[A free certificate] doesn't replace the expensive certificates, it's an alternative when you're just shooting for encryption. There is very little verification of who you are. This will help create a more secure internet, but does not verify that the server you're connecting to is necessarily the bank you intended to contact. The Expensive certificates provide verification that the server is who it says it is. In order to get one you have to verify lots of things, and the high cost is part of the verification. That's why there are different levels of certificates, depending on how important it is to verify the servers identity.
"In a way, creating a free certificate, with little verification, they have created a market for higher level certificates, in order to differentiate oneself from the free ones."
Today, organizations can pursue free and/or expensive certificates issued by a CA. Regardless of their choice, the availability of both options increases the difficulty of companies keeping track and securing all their certificates. They should therefore consider investing in a solution that helps automate this process for them.