A Certificate Authority (CA) is an organization trusted to release cryptographic certificates for websites and such. When you’re browsing and see
https:// instead of
http://, the site you’re visiting is using an SSL/TLS certificate from a CA. Such a certificate encrypts communications between your browser and the site you’re visiting, preventing it from being intercepted and read by third parties.
Additionally, CAs may validate that the cert requester:
- Can control the domain name (
example.com) for which they are requesting a certificate;
- Owns the domain name as the organization/legal entity on record;
- Actually is a real legal entity, AKA Extended Validation (EV), in which case you’d also see their name in the location bar.
#2 and #3 grant you additional levels of assurance that the website you’re visiting is genuine. Generally though, ordinary users don’t bother to check the cert details. At most, they’d glance at the location bar, see that it says Secure and go right on. That’s usually good enough. The only time I personally take extra caution is when dealing with an e-commerce or banking site for the first time.
SSL/TLS certs usually cost a lot, especially if #2 and #3 are involved. Certs which only undergo domain validation (#1) have dropped in price, but are still around $10/year from a budget provider. These certificates usually expire in at least a year.
A regular certificate is issued for only one hostname at a time, e.g.
www.example.com but not
blog.example.com. (Nowadays, they usually throw in one for
www when you get a cert for
example.com.) A wildcard certificate is one that secures any subdomain, e.g.
support.example.com etc. They cost even more. Much more.
Enter Let’s Encrypt.