Main section
What is a Certificate Authority?
From secure websites and encrypted emails to digital signatures – every trusted digital identity relies on a Certificate Authority. Acting as the backbone of online trust, CAs verify, confirm, and safeguard identities across the internet, making them essential for secure communication in business, government, and everyday digital life.
In an increasingly digitised world, where communication, business processes and government operations take place online, trust has become a crucial currency. This is where so-called Certificate Authorities (CAs), or Certification Authorities, come into play.
Summary: The role of a Certificate Authority explained in simple terms
A Certificate Authority is a trusted entity that issues digital certificates. These certificates are used to confirm the identity of a person, organisation or technical system. In essence, a certificate says, "Yes, this website, this email address or this document really belongs to the entity listed." And it is this confirmation that is issued by a CA - similar to a digital ID or a notary's certification in the online world. Without these entities, it would be nearly impossible to distinguish between real and fake identities in the digital world. The CA therefore plays a key role in the Internet's trust network.
Certificate Authorities are the invisible guardians of the digital world, ensuring that identities on the internet can be reliably verified and data can be securely transmitted. But what exactly is a Certificate Authority, how does it work - and why do we need it?
What are digital certificates needed for?
Digital certificates are used in many areas. The most well-known examples are:
-
SSL/TLS certificates for websites: They ensure that the connection between browser and server is secured (recognisable by the "https://").
-
S/MIME certificates for email: they allow the encryption and signing of emails, preventing manipulation and identity theft.
-
Machine identities and IoT: Devices or software components can also use certificates to authenticate each other.
-
Digital signatures: Documents or contracts can be signed electronically, with a certificate confirming that the signature really comes from the person indicated.
In all these cases, the CA creates the basis for trust: it verifies the identity of the requesting party before issuing the certificate - depending on the type of certificate, to varying degrees and with varying strictness.
How does a certification body work?
The process can be roughly divided into the following steps:
-
Application: An organisation or person applies for a certificate from a CA.
-
Identity verification: The CA checks whether the information is correct. This can range from a simple domain check to personal identification.
-
Certificate issuance: After successful examination, a digital certificate is created and sent to the applicant.
-
Publication: The certificate can be stored in a public registry so that other systems can verify it.
-
Revocation and Status Services: CAs operate revocation services for certificates and also maintain lists of revoked certificates (CRLs) or offer services such as OCSP, which allow the validity of a certificate to be checked in real time.
Technically, the system is based on so-called Public Key Infrastructure (PKI). A CA signs the certificate with its private key - and anyone who knows the CA's public key (e.g. via a root certificate in the browser) can check its authenticity.
Types of CAs and certificates
Not all certification bodies are the same. There are different types.
In the area of application:
-
Private CAs: Larger companies often operate their own internal CAs for internal systems and communication.
-
Public CAs: These offer certificates for use on the Internet - for example, for websites or email traffic.
-
Legally regulated CAs: For example, for the issuance of certificates for qualified electronic signatures.
In the hierarchy:
-
Root-CAs are the highest level of trust. This model increases security as the root key is not used constantly.
-
Root CAs issue certificates for "Sub CAs" or "Issuing CAs". An Issuing CA in turn issues certificates to end users.
Trust in the CA - why it works
CAs are trusted only because they are regularly audited and certified. Operating systems and browsers maintain so-called root stores, which list trusted CAs. Only CAs that meet certain technical, legal and organisational requirements are included in the root stores. These include, among others:
-
Regular audits according to standards such as WebTrust or ETSI
-
Secure infrastructure and protection of private keys
-
Transparent processes for the issuance, blocking and management of certificates
If a CA is compromised or violates the rules, it can be removed from the Root Store - with far-reaching consequences for all the certificates it has issued. Browsers will no longer recognise these as secure, websites that use them will no longer be displayed, and emails will end up in spam filters - which can have massive business consequences for the affected companies.
Difference between Certificate Authority and Trust Service Provider
In everyday language, the terms "Certificate Authority (CA)" and "Trust Service Provider (TSP)" are often used synonymously, but there is an important difference - especially in the European legal context.
A Certificate Authority is primarily a technical entity that issues and manages digital certificates. Its focus is on the cryptographic aspect of identity verification, for example for websites or email communication.
A Trust Service Provider, on the other hand, is a broader term that encompasses all providers that offer so-called trust services according to, for instance, the European eIDAS Regulation or the Swiss ZertES Act. This includes not only certificate services, but also electronic timestamps, electronic seals and, in particular, qualified electronic signatures. A TSP can therefore include a CA - but not every CA is automatically a TSP in the legal sense.
In practice, this means that only an officially recognised Trust Service Provider may issue qualified signatures that are generally equivalent to a handwritten signature. SwissSign, for example, is both a CA and a recognised Trust Service Provider in Switzerland.
Which CAs are there in Switzerland?
In Switzerland, there are several certification authorities that issue different types of digital certificates. SwissSign is the only CA that offers both SSL/TLS and S/MIME certificates for the Internet as well as qualified electronic signatures and seals according to the Federal Act on Electronic Signatures (ZertES) and the European regulation eIDAS. QuoVadis Trustlink Switzerland AG, now part of the US company DigiCert, is also active, particularly in the corporate environment. Swisscom and the Federal Office of Information Technology are also legally recognised and both do not offer certificates for the Internet.
Which CAs are there in Germany?
SwissSign is also represented in the EU with a subsidiary (in Austria) and offers services certified according to eIDAS for German and other European companies. In Germany, D-TRUST GmbH, a company of the German Federal Printing Office group, is one of the best-known providers of digital certificates and qualified trust services. T-Systems, with its subsidiaries Deutsche Telekom AG and Deutsche Telekom Security GmbH, also offers a wide range of certificates. The Federal Network Agency maintains an up-to-date list of all qualified trust service providers according to the eIDAS Regulation.
Why SwissSign plays a special role
SwissSign is a certification authority based in Switzerland with a clear focus on data protection, legal certainty and technical excellence. As a recognised provider of certificate services under the Federal Act on Electronic Signatures (ZertES), SwissSign meets the highest requirements for the trustworthiness and quality of its services.
SwissSign offers not only classic SSL/TLS certificates, but also qualified electronic signatures. These signatures have the same legal validity as a handwritten signature.
SwissSign stands for 100% Swiss Made - with a fully self-managed, geo-redundant infrastructure in Switzerland. This means: maximum security and availability, as well as optimal protection of sensitive customer data. As a recognised Trust Service Provider, SwissSign is committed to meeting the highest security standards and regulatory requirements - for the highest level of trust with you and your end-customers.
With over 20 years of experience in the field of digital identities, SwissSign brings deep expertise and a strong understanding of individual customer requirements to the table. Whether PKI, signatures or electronic identities - you get all services from a single source. This is complemented by personal, professional advice that helps you make well-informed decisions at all times in the interests of your business and your customers.
Conclusion: CA as the anchor of trust in the digital world
Without Certificate Authorities, secure and trustworthy communication on the Internet would not be possible. They ensure that digital identities are verifiable, data can be transmitted in an encrypted manner, and digital signatures are legally recognised. Especially in a time when cybercrime, identity theft and data breaches are on the rise, the role of CAs is more important than ever. They are the backbone of the digital trust infrastructure - mostly invisible, but indispensable.
Frequently Asked Questions on Certitifcate Authorities
What is a Certificate Authority explained simply?
A CA is an organisation or entity that issues digital certificates to confirm that someone or something really has the stated identity - for example, a website or a person.
What do I need a digital certificate for?
For secure websites (HTTPS), email encryption and signing, digital signatures or for authenticating devices and users.
What happens when a CA is no longer trustworthy?
Then it is removed from the root stores. All certificates issued by it are then considered insecure - with sometimes serious consequences for the affected services.
