When GuardSSL scans your SSL certificate, you'll see an Issuer field. This issuer is the Certificate Authority—or CA for short. But what exactly is a CA, and why is it so important?

What is a Certificate Authority?

A CA is like a notary public for the internet.

In the real world, when you need to prove your identity, you use government-issued ID. Everyone trusts that ID because they trust the government that issued it.

On the internet, websites need to prove "I really am example.com." A CA is the organization that vouches for that identity. Browsers trust CAs, CAs verify websites, and therefore users can trust websites.

How the Chain of Trust Works

There's a concept called the chain of trust:

Root CA (Root Certificate)
    ↓ signs
Intermediate CA (Intermediate Certificate)
    ↓ signs
Your Website's Certificate (End Entity Certificate)

Your computer and phone come pre-installed with trusted root certificates—these are the "authorities" that operating systems and browsers accept. When you visit a website:

The website presents its certificate
Your browser checks: Who issued this certificate?
It follows the chain upward—can it trace back to a pre-installed root certificate?
If yes, the connection is trusted. If not, you get a warning.

Common Certificate Authorities

You'll likely see these names in your GuardSSL scan results:

Let's Encrypt

Features: Free, automated, open
Best for: Personal sites, small projects
Validity: 90 days (requires auto-renewal)

DigiCert

Features: Enterprise-grade, high security
Best for: Large enterprises, financial institutions
Notable clients: Many Fortune 500 companies

Cloudflare

Features: Integrated with CDN services
Best for: Sites using Cloudflare
Advantage: Easy setup, automatic management

Sectigo (formerly Comodo)

Features: Affordable, wide variety
Best for: Small to medium businesses

GlobalSign

Features: Long history, globally recognized
Best for: International enterprises

Certificate Types: DV, OV, EV

CAs issue different types of certificates based on how thoroughly they verify your identity:

DV (Domain Validation)

Only verifies you control the domain
Fastest to obtain—usually minutes
Free from Let's Encrypt
Sufficient for most websites

OV (Organization Validation)

Verifies domain + company existence
Requires business documentation, takes days
Shows company name in certificate details

EV (Extended Validation)

Most rigorous verification, multiple checks
Used to show a green company name in browsers
Now mainly visible in certificate details

How to Tell If a CA is Trustworthy

Seeing an unfamiliar issuer? Here's how to judge:

✅ Signs of Trust

It's a well-known CA or subsidiary
Browser shows no warnings
Complete certificate chain tracing to a root CA

❌ Red Flags

Browser displays "Certificate not trusted"
Issuer is "Self-Signed"
Non-standard CA forced by government or organization

The Problem with Self-Signed Certificates

Some people create self-signed certificates to save time—essentially vouching for themselves without third-party verification. It's like writing your own recommendation letter.

Self-signed certificates:

Trigger browser warnings
Require users to manually "add exception"
Only appropriate for internal testing
Never use in production!

What If a CA Gets Compromised?

While rare, it has happened. In 2011, DigiNotar was hacked and issued fraudulent certificates.

How the industry responds:

Browsers quickly remove compromised CAs
OCSP and CRL mechanisms revoke problem certificates
This is why you shouldn't trust random CAs

Key Takeaways

CAs are trusted organizations that verify website identities
Browsers and operating systems include pre-trusted root CAs
Let's Encrypt is a great free option for trusted certificates
Avoid self-signed certificates for public websites
If GuardSSL shows a well-known CA, your certificate is widely trusted

Choosing a reputable CA is the first step in building user trust.

Understanding Certificate Authorities (CAs): The Foundation of SSL Trust