Certificate authority (CA)
An organization that issues TLS certificates and whose root key is trusted by browsers and operating systems. The 'who signs your cert' in HTTPS.
A Certificate Authority (CA) is an organization that issues TLS certificates. Browsers and operating systems ship with a list of trusted root CAs; any cert signed by one (or by an intermediate CA that chains back to one) is automatically trusted.
The major CAs in 2026
| CA | Use case |
|---|---|
| Let's Encrypt | Free DV certs. Default for most SaaS. |
| ZeroSSL | Free DV certs, alternative to Let's Encrypt. |
| DigiCert | Commercial DV/OV/EV. Enterprise default. |
| GlobalSign | Commercial, code signing + TLS. |
| Sectigo (formerly Comodo) | Commercial, broad cert types. |
| Entrust | Commercial, financial / government. |
| Buypass | Smaller, free DV via Let's Encrypt-style API. |
| Google Trust Services | Google-internal + some external. |
The root trust store has ~100 CAs total. Most of them you've never heard of.
What CAs actually verify
Three levels:
- Domain Validation (DV). Just that you control the domain. Issued in seconds. Free or cheap. 99% of HTTPS uses this.
- Organization Validation (OV). Plus business identity. 1–3 days, $50/yr.
- Extended Validation (EV). Most thorough. Used to show company name in browser bar (removed in 2019). Now mostly legacy.
The "trust store" detail
Browsers and OSes each maintain their own root store. They mostly overlap but not entirely. A cert that works in Chrome on Mac might fail in some embedded device, or vice versa. When you pick a CA, check that it's in all the trust stores your customers will use.
Why this matters for SaaS
You don't usually run your own CA. You delegate to Let's Encrypt and let your automation handle issuance. The CA matters when you hit rate limits, need a specific cert type (wildcard via DNS-01), or have an enterprise customer demanding a specific issuer.