Home/Website authentication

Canadian certificate guidance

Website authentication

Website authentication is the technical process of proving a server is who it claims to be before a browser or API client exchanges any data with it. In 2026, this process runs on a combination of TLS certificates, certificate authority (CA) trust chains, and...

Discuss your use case
On this page
  1. What Website Authentication Actually Does
  2. Types of Website Authentication Certificates
  3. How TLS Certificate Validation Works Step by Step
  4. eIDAS 2.0 and Its Impact on Website Authentication in 2026
  5. PSD2 Certificate Requirements Explained
  6. Certificate Transparency and Why It Matters
  7. Common Website Authentication Vulnerabilities
  8. Certificate Lifecycle Management for Organizations

Website authentication is the technical process of proving a server is who it claims to be before a browser or API client exchanges any data with it. In 2026, this process runs on a combination of TLS certificates, certificate authority (CA) trust chains, and regulatory frameworks like eIDAS 2.0 and PSD2. Getting it wrong means browsers show security warnings, payment processors reject connections, and compliance audits fail.

Website authentication — digital certificate and security infrastructure
Illustrative security infrastructure context.

What Website Authentication Actually Does

Authentication at the transport layer answers one question: is this server the legitimate owner of the domain or legal entity it claims to represent?

A TLS handshake accomplishes three things simultaneously:

  • Verifies the server certificate is signed by a trusted CA
  • Establishes the public key used to negotiate an encrypted session
  • Confirms the certificate has not been revoked

Without this process, encrypted traffic is meaningless. Encryption without authentication allows a man-in-the-middle attacker to intercept the session while both endpoints believe they are communicating securely.

Types of Website Authentication Certificates

Not all certificates provide the same level of identity assurance. The difference matters for regulatory compliance and user trust signals.

Certificate TypeIdentity CheckUse CaseIssuance Time
Domain Validation (DV)Domain control onlyBlogs, internal toolsMinutes to hours
Organization Validation (OV)Domain + legal org checkBusiness websites, APIs1-3 days
Extended Validation (EV)Domain + legal + physical addressFinancial services, e-commerce3-7 days
QWAC (Qualified Website Authentication Certificate)eIDAS 2.0 regulated identityPSD2 APIs, EU/cross-border fintech1-5 days

For Canadian organizations operating in regulated industries or accessing European payment infrastructure, the distinction between OV and QWAC is significant. A standard OV certificate satisfies HTTPS requirements, but a QWAC carries legally recognized identity under eIDAS 2.0, making it machine-readable for financial APIs.

How TLS Certificate Validation Works Step by Step

Understanding the validation chain matters for anyone deploying certificates in a production environment.

  1. The browser connects to the server and requests its certificate
  2. The server sends its certificate plus any intermediate CA certificates
  3. The browser checks that each certificate in the chain is signed by the one above it
  4. The root CA certificate is verified against the browser's or OS trust store
  5. The browser checks certificate validity period and revocation status via OCSP or CRL
  6. If all checks pass, the handshake completes and the session is encrypted

A broken chain at any step causes a trust error. Common causes in Canadian enterprise environments include missing intermediate certificates after renewal, certificates installed on the wrong server, or expired roots in custom CA bundles used by internal applications.

eIDAS 2.0 and Its Impact on Website Authentication in 2026

The European Union's eIDAS 2.0 regulation came into full effect and introduced changes that affect any organization exchanging data with European financial institutions, payment networks, or government services.

Key changes relevant to website authentication:

  • QWACs are now required for PSD2 open banking API endpoints in the EU
  • The EU Digital Identity Wallet (EUDIW) framework relies on qualified certificates for relying party authentication
  • Cross-border identity assertions must use certificates from EU Trust List (EUTL) accredited providers
  • Non-EU organizations accessing EU infrastructure need certificates from EUTL-recognized CAs or bilateral recognition agreements

For Canadian fintechs expanding into the EU market, this creates a practical requirement: standard Canadian SSL certificates issued by DigiCert, GlobalSign, or Sectigo satisfy domestic HTTPS needs, but they do not satisfy eIDAS 2.0 qualified certificate requirements for API authentication with European payment service providers.

PSD2 Certificate Requirements Explained

PSD2 (Payment Services Directive 2) mandates that third-party payment providers (TPPs) use specific certificate types to authenticate to Account Servicing Payment Service Providers (ASPSPs), which are typically banks.

Certificate TypeFunction Under PSD2Required For
QWACWebsite/API authentication, TLS identityAll TPP-to-ASPSP connections
QSealC (Qualified eSeal Certificate)Signing payment messages, non-repudiationTransaction signing, message integrity

Both certificate types must be issued by a qualified Trust Service Provider (QTSP) listed on a national EUTL. In practice, this means Canadian organizations doing PSD2 business need certificates from a QTSP that either operates in Canada with EU recognition or has a cross-border agreement in place.

A common mistake is using a standard OV certificate for PSD2 API connections and assuming it satisfies the regulation. Banks' API gateways validate certificate type programmatically. An OV certificate will fail authentication even if the underlying TLS handshake completes.

Certificate Transparency and Why It Matters

Since 2018, all publicly trusted TLS certificates must be logged to Certificate Transparency (CT) logs before a browser accepts them. In 2026, CT log requirements have expanded.

What CT provides:

  • Public, append-only record of every certificate issued for a domain
  • Detection of misissued or unauthorized certificates within hours
  • Audit trail for compliance purposes

For security teams, monitoring CT logs for your domains is a practical early-warning system. If a certificate appears in a CT log for a domain you control and you did not request it, that indicates either a CA compromise or a social-engineering attack against your domain registrar or CA account.

Tools like crt.sh allow manual domain lookups. Automated CT monitoring should be part of any enterprise certificate management workflow.

Common Website Authentication Vulnerabilities

Certificates solve identity verification, but deployment errors create vulnerabilities that certificates alone cannot address.

VulnerabilityRoot CauseDetection Method
Expired certificateNo automated renewalCertificate monitoring, browser error reports
Mixed contentHTTP resources loaded on HTTPS pageBrowser console, automated scanning
Weak cipher suitesOutdated server TLS configurationSSL Labs scan, PCI DSS assessment
Subdomain takeoverDNS entry pointing to deprovisioned serviceDNS audits, CT log monitoring
Certificate pinning failureApp update without pin rotationMobile crash reports, API 401 errors

Expired certificates remain the most common and avoidable incident. A 2024 Ponemon Institute survey found that 54% of organizations experienced at least one unplanned outage caused by an expired certificate in the previous 24 months. Automated Certificate Management Environment (ACME) protocol adoption, now supported by most major CAs, reduces this risk significantly.

Certificate Lifecycle Management for Organizations

Managing more than a handful of certificates manually is not practical. Organizations in fintech, healthcare, and government typically manage dozens to hundreds of certificates across different environments.

A functional certificate lifecycle process covers:

  • Inventory: knowing every certificate deployed, where, and by whom
  • Issuance: standardized request and approval workflow
  • Deployment: automated installation with validation checks
  • Renewal: triggered at 60-90 days before expiry, not at expiry
  • Revocation: process for immediate revocation on key compromise
  • Audit: quarterly or annual review of certificate usage and policy compliance

Canadian organizations subject to PIPEDA, provincial privacy legislation, or financial services regulations (OSFI guidelines) should treat certificate management records as part of their security documentation for audit purposes.

Choosing the Right Certificate for Your Use Case

The decision depends on three factors: the regulatory environment, the technical endpoint, and the trust signal needed by end users or API clients.

For a Canadian business with no EU operations and no payment processing, OV certificates from any major CA provide sufficient authentication for HTTPS and API connections.

For a fintech operating under PSD2 or connecting to European open banking infrastructure, a QWAC from a recognized QTSP is a hard requirement, not an option.

For internal API-to-API authentication, private CA certificates issued from an internal PKI often make more sense than publicly trusted certificates, particularly for zero-trust network architectures where all endpoints are explicitly enrolled.

For customer-facing websites where legal entity identity needs to be visible in certificate metadata, EV certificates still provide organization name and jurisdiction in the certificate's Subject field, which is accessible through browser certificate details even though most browsers no longer display it in the address bar.

Planning an implementation?

Keep the legal entity, domain controls and certificate lifecycle in the same review.

Discuss your use case

Frequently asked questions

Practical answers

What is the difference between SSL and TLS in the context of website authentication?

SSL (Secure Sockets Layer) was the predecessor to TLS (Transport Layer Security). SSL 2.0 and 3.0 are both deprecated and insecure.

Do Canadian websites need eIDAS-compliant certificates?

Not for purely domestic operations. eIDAS 2.0 is an EU regulation.

How often should website authentication certificates be renewed?

The maximum validity period for publicly trusted TLS certificates has progressively shortened. As of 2026, the CA/Browser Forum has approved a reduction to 47-day maximum validity periods, phased in over 2026-2027.

What happens if a website's certificate is revoked?

When a certificate is revoked, the CA adds its serial number to a Certificate Revocation List (CRL) and updates its OCSP responder. Browsers that perform revocation checking will receive a revoked status and display a certificate error.