You open your browser, visit a website, and see a little padlock 🔒 in the address bar. You know it means "secure" — but have you ever wondered who gets to decide that?
The answer is: a CA.
What Is a CA?
CA stands for Certificate Authority. Its job is simple: vouch for your website and tell browsers "this site is legitimate, not a phishing page."
When you need something officially notarized, you go to a government-recognized notary — you can't just write a note saying "I certify that I'm trustworthy." SSL certificates work the same way. They have to be issued by a CA that browsers and operating systems already trust. Without that, browsers throw up a red warning and your visitors run.
Getting onto that trusted list is no small feat. Chrome, Firefox, and Safari each maintain a root certificate trust store, and getting in requires passing rigorous security audits, complying with international standards (like those set by the CA/Browser Forum), and undergoing regular third-party reviews. Only then does a CA's certificates actually work.
There are only a few dozen CAs trusted by major browsers worldwide. DigiCert, Sectigo (formerly Comodo), GlobalSign, and Entrust are among the largest by market share. China has WoSign, but after being caught mis-issuing certificates, it was removed from Mozilla's and Apple's trust lists in 2016. They've since made changes, but it's worth double-checking compatibility before using them.
So What Actually Differs Between CAs?
If all CA-issued certificates are trusted by browsers, does it matter which one you pick?
It does. Here's where they actually differ:
How Rigorous Is the Validation?
SSL certificates come in three validation levels — DV, OV, and EV. I covered the differences in detail in a previous post, so I won't repeat it all here.
The short version: DV only verifies domain ownership and takes minutes; OV confirms your organization actually exists and takes a few days; EV is the most thorough and can take a week or two.
What's less obvious is that different CAs apply these standards with different levels of strictness. Two CAs can both offer OV certificates — one might approve you after a quick phone call, another might require notarized documents. That affects the certificate's credibility, which is why larger enterprises tend to stick with established CAs whose audit track record is well-documented.
Has the CA Ever Had a Security Incident?
A CA's entire value is built on trust — and when that trust breaks, the consequences are severe.
There are real cautionary tales. Dutch CA DigiNotar was hacked in 2011, fraudulent certificates were issued at scale, and the company was wiped from every browser's trust list and went out of business shortly after. WoSign, mentioned above, was removed for rule violations.
When evaluating a CA, it's worth checking how long they've been around, whether they've had any major incidents, and whether they've ever been sanctioned by browser vendors. Established names have a longer track record to scrutinize — which is usually a good thing.
Root Certificate Coverage
This is a slightly more technical difference: whether a CA's root certificate is pre-installed across all major devices.
Major CAs got their root certificates into Windows, macOS, iOS, and Android trust stores early — so compatibility is essentially universal. Newer or smaller CAs may not be in every legacy system yet. If that happens, visitors to your site will see a certificate warning even though you paid for a valid cert.
For most use cases this isn't an issue — the mainstream CAs are fine. But if your users are on older hardware, legacy operating systems, or embedded devices, this is worth checking carefully.
So Why Do Prices Vary So Much?
With that background, the price differences start to make sense.
The same DV certificate is free from Let's Encrypt, costs around ¥199/year from some domestic platforms, and can run over ¥1,000/year from DigiCert. Same encryption, same browser trust — what are you actually paying for?
Brand Value and Procurement
DigiCert and GlobalSign carry real weight in enterprise procurement, compliance audits, and financial regulation. When a large company buys an SSL certificate, finance needs to log the vendor, IT needs documentation, and legal needs to sign off on supplier qualifications.
You're not just buying a certificate — you're buying a brand name that can go on a purchase order.
From an individual's perspective this might look like a premium for nothing. In enterprise procurement, it's a genuine requirement.
Warranty Coverage
Many paid certificates include a commercial warranty. If a certificate-related issue — say, a CA private key compromise leading to a fraudulent cert — causes losses for users, the CA promises to pay up to a certain amount.
DigiCert's premium certificates go up to $1.75 million. Entry-level Sectigo might cover $10,000. Let's Encrypt: $0.
These warranties are rarely invoked in practice, but in finance, healthcare, and other risk-sensitive industries, that number gets taken seriously.
Support and SLA
Have an issue with Let's Encrypt? Post on the community forum and wait for a volunteer to respond.
Have an issue with DigiCert? Call them. There's a dedicated support team, and response times are written into the contract.
A significant chunk of what enterprise customers pay for is the assurance that if something breaks, someone is accountable.
Additional Features
Higher-priced certificates often bundle extras: certificate lifecycle management platforms, automation APIs, multi-domain and wildcard support, dedicated monitoring services. These matter when you're managing hundreds of certificates across an organization.
A Few Common Brands at a Glance
| Brand | Positioning | Notes |
|---|---|---|
| Let's Encrypt | Free, nonprofit | Free DV only; 90-day certs require auto-renewal; no commercial support; backed by ISRG |
| ZeroSSL | Free + paid | Similar to Let's Encrypt; paid plans offer longer validity and email support |
| Sectigo (formerly Comodo) | Best value | Largest market share globally; affordable; full DV/OV/EV lineup |
| DigiCert | Enterprise, premium | Most expensive; best support; preferred by financial institutions and governments |
| GlobalSign | Enterprise, mid-to-high | Popular with European enterprises; thorough compliance documentation |
| Entrust | Enterprise / government | Widely used by North American government agencies; includes identity and document signing |
Which One Should I Actually Buy?
One common myth first:
"More expensive certificates have stronger encryption."
No. Whether you spend $30 or $300, the encryption algorithms (TLS 1.3, AES-256) are identical — they're negotiated between your server and the browser during the handshake, and have nothing to do with which CA signed the cert.
What you're actually paying more for: stricter identity verification, brand credibility, warranty coverage, and a support team that picks up the phone.
From a pure encryption standpoint, Let's Encrypt and DigiCert are on equal footing.
Here's how to think about your actual choice:
Need compatibility with old devices or legacy systems → Go with DigiCert or GlobalSign. Their root certificates have been in major trust stores the longest and have the broadest coverage — least likely to have issues with Windows XP, older Android versions, or embedded devices.
Have compliance or audit requirements → DigiCert or GlobalSign OV/EV. Financial regulators, cybersecurity certifications like SOC 2, and similar audits often scrutinize your CA choice — a recognizable name makes that conversation easier.
Just need HTTPS with no special requirements → Let's Encrypt is completely sufficient. Free, broadly compatible, just make sure you configure auto-renewal for the 90-day expiry.
The other dimension is certificate type — DV, OV, or EV. I covered that in detail in a previous post if you want to dig in.
And if you want free certificates with automatic renewal, auto-deployment, and expiry alerts all handled for you, CertFlow takes care of the whole certificate management headache.
Top comments (0)