On this page
- What a Certificate Authority Actually Does
- Types of Certificates a CA Issues
- How Certificate Validation Works Step by Step
- Why CA Trust Stores Determine Everything
- eIDAS, QWAC Certificates, and PSD2 Compliance
- Certificate Lifecycle Management: The Part Most Teams Get Wrong
- Choosing a Certificate Authority: Criteria That Actually Matter
- Certificate Authority in Zero-Trust Architecture
A Certificate Authority (CA) is the organization that issues, signs, and revokes digital certificates used to authenticate websites, services, and identities online. Without a trusted CA in the chain, browsers reject connections, APIs fail mutual authentication, and regulatory compliance breaks down. In Canadian fintech and government digital identity contexts, the CA you choose directly affects your PSD2 readiness, eIDAS alignment, and TLS posture.

What a Certificate Authority Actually Does
A CA performs three core functions that most explanations collapse into one: it verifies the identity of the certificate applicant, it cryptographically signs the certificate binding that identity to a public key, and it maintains the revocation infrastructure so that compromised certificates stop being trusted within minutes rather than days.
The trust model depends on a hierarchy:
- Root CA — the ultimate trust anchor, stored in operating system and browser trust stores (Mozilla NSS, Microsoft CTL, Apple Root Program)
- Intermediate CA — signs end-entity certificates; isolates the root from day-to-day issuance
- End-entity certificate — issued to a domain, organization, or individual; expires and must be renewed
Root CAs rarely sign certificates directly. The intermediate layer limits blast radius if an intermediate is compromised: the root can revoke just that intermediate rather than every certificate ever issued.
Types of Certificates a CA Issues
| Certificate Type | Validation Level | Typical Use Case | Max Validity (2026) |
|---|---|---|---|
| DV (Domain Validated) | Domain control only | Internal tools, dev/staging | 47 days (post-2026 CAB/F ballot) |
| OV (Organization Validated) | Domain + org identity | Corporate websites, APIs | 47 days |
| EV (Extended Validated) | Full legal entity check | High-assurance fintech portals | 47 days |
| QWAC (Qualified Website Auth. Cert.) | eIDAS Qualified + PSD2 role | Open banking, PSD2 APIs | 1–2 years (eIDAS scheme) |
| Code Signing | Org identity + key storage | Software distribution, firmware | 3 years |
| S/MIME | Individual or org | Encrypted email, document signing | 1–3 years |
| Client Certificate | Device or person | Mutual TLS, zero-trust access | Custom |
The 47-day maximum for publicly trusted TLS certificates comes from CA/Browser Forum Ballot SC-081, which phases in between 2025 and 2029 with the 47-day cap effective March 2029. Planning certificate automation now prevents operational failures at that deadline.
How Certificate Validation Works Step by Step
- Applicant generates a key pair — private key stays on the applicant's infrastructure; public key goes into the Certificate Signing Request (CSR).
- CA receives the CSR — verifies domain control via DNS TXT record, HTTP file, or email (DV); adds org identity checks for OV/EV.
- CA signs the certificate — binds the public key to the verified identity using its intermediate CA private key.
- Certificate is published to Certificate Transparency (CT) logs — mandatory for all publicly trusted TLS certs since 2018.
- Revocation infrastructure is updated — OCSP responders and CRLs reflect the new certificate's serial number as valid.
- Relying parties verify — browsers, API gateways, and mobile apps check the chain, CT log inclusion, and revocation status before completing the handshake.
Why CA Trust Stores Determine Everything
Your certificate is only trusted if the issuing CA's root appears in the trust store of the client making the connection. There are four major trust programs that matter for Canadian operators:
- Mozilla NSS — used by Firefox and most Linux distributions
- Microsoft CTL — used by Windows, Edge, and any Windows-native application
- Apple Root Program — used by Safari, iOS, macOS apps
- Google Chrome Root Program — Chrome manages its own root store separately from the OS since 2022
A CA that is removed from any one of these programs causes immediate connection failures for that client base. Mozilla has removed CAs for failure to comply with audit requirements; DigiNotar (2011) and TrustCor (2022) are the most widely cited cases. When evaluating a CA, check its current audit status: WebTrust for CAs and ETSI EN 319 411 are the two dominant audit frameworks.
eIDAS, QWAC Certificates, and PSD2 Compliance
For Canadian fintechs operating in or connecting to European markets, eIDAS introduces a category of certificate that goes beyond standard TLS: the Qualified Website Authentication Certificate (QWAC).
What makes a QWAC different from an EV certificate:
| Attribute | EV TLS | QWAC |
|---|---|---|
| Issuing CA type | Publicly trusted CA | eIDAS Qualified Trust Service Provider (QTSP) |
| Identity assurance | Legal entity name, jurisdiction | Same + PSD2 role (AISP, PISP, ASPSP) |
| Regulatory recognition | CA/Browser Forum | EU eIDAS Regulation + RTS on SCA |
| Browser trust | Yes (same chain as DV/OV) | Yes (also serves as PSD2 credential) |
| Revocation speed | OCSP, CRL | OCSP, CRL + QTSP registry |
Under PSD2, third-party payment providers (TPPs) must present a QWAC or eIDAS-compliant certificate when calling bank APIs. A standard EV certificate does not satisfy this requirement. Canadian payment providers connecting to European open banking infrastructure need certificates from a QTSP listed on an EU Member State's Trusted List (TL).
Certificate Lifecycle Management: The Part Most Teams Get Wrong
Issuing a certificate is straightforward. Managing hundreds or thousands of them across cloud, on-premise, and partner environments is where organizations fail.
Common failure points:
- Manual renewal tracking in spreadsheets — leads to expired certificates and outages; a 2024 survey found certificate-related outages cost enterprises an average of $15,000 per hour
- No inventory of non-web certificates — S/MIME, code signing, and client certs are often invisible to the team that manages TLS
- Private key reuse across renewals — generates the same key for years, increasing the window of exposure if the key is ever compromised
- Ignoring CT log monitoring — rogue certificates issued for your domain appear in CT logs within minutes; monitoring for unexpected issuance is a basic security control
What automated certificate lifecycle management (CLM) covers:
- Discovery of all certificates across infrastructure
- Automated renewal via ACME protocol (Let's Encrypt, ZeroSSL, or private CA with ACME support)
- Private key rotation on every renewal
- Alerting on certificates expiring within 30, 14, and 7 days
- Integration with Kubernetes (cert-manager), Terraform, and CI/CD pipelines
Choosing a Certificate Authority: Criteria That Actually Matter
Generic advice says "pick a trusted CA." Here is what the decision actually involves for a Canadian fintech or enterprise:
| Criteria | Why It Matters | What to Check |
|---|---|---|
| Root program inclusion | Determines which clients trust your cert | Verify root in Mozilla, Microsoft, Apple, Chrome stores |
| Audit framework | WebTrust vs. ETSI affects eIDAS alignment | ETSI EN 319 411-1/2 required for QTSP status |
| ACME support | Required for short-validity cert automation | Check if CA exposes ACME endpoint |
| QWAC issuance capability | Needed for PSD2 API access in EU | Confirm QTSP listing on EU Trusted List |
| CRL/OCSP uptime SLA | Revocation infrastructure failure = distrust | Look for 99.9%+ availability commitment |
| Canadian data residency | Relevant for PIPEDA and provincial privacy law | Ask where certificate metadata and keys are stored |
| Customer support response | Missuance corrections need fast CA response | Test pre-sales response time as a signal |
Certificate Authority in Zero-Trust Architecture
Modern zero-trust networks rely on mutual TLS (mTLS) for service-to-service authentication, which means a private CA — not a public one — issues certificates to internal workloads.
Public CA vs. Private CA for internal use:
- Public CA certificates for internal services expose your internal hostnames to CT logs (a privacy and security issue)
- Private CAs (HashiCorp Vault PKI, AWS Private CA, Microsoft ADCS, or a dedicated internal CA) issue certificates that never appear in public CT logs
- Private CA certificates are not trusted by external clients by default — they require distribution of the private root to managed devices
A zero-trust architecture typically uses both: a public CA for external-facing TLS, a private CA for internal mTLS between microservices, and a separate CA for device identity certificates issued through an MDM.
Planning an implementation?
Keep the legal entity, domain controls and certificate lifecycle in the same review.
Discuss your use caseFrequently asked questions
Practical answers
What is the difference between a CA and a Registration Authority?
A Registration Authority (RA) handles identity verification on behalf of a CA but does not issue or sign certificates. The CA retains signing authority.
How does certificate revocation work when a private key is compromised?
The certificate holder contacts the issuing CA and requests revocation, providing proof of compromise or authorization. The CA updates its CRL and marks the certificate's serial number as revoked in its OCSP responder, typically within one hour for major CAs.
Do Canadian organizations need eIDAS-compliant certificates?
Not for domestic operations. eIDAS is an EU regulation.
What happens when a Certificate Authority is distrusted by a browser?
Distrust is applied either to new certificates issued after a specific date or to all certificates from that CA. Existing certificates issued before the distrust date may continue to work in some browsers for a limited period.