Why one is needed
Anyone can make an SSL certificate claiming to be any website. Making one takes seconds and costs nothing. So a certificate on its own is worthless as proof of identity.
What makes it worth something is the signature on it. A certificate authority, or CA, is an outside organisation that checks something before it signs, and stakes its reputation on that signature. Your browser does not trust the website. It trusts the CA that vouched for the website.
The chain of trust
Your browser and operating system ship with a built-in list of root certificate authorities. Somebody put that list there before you ever opened the browser, and it is the foundation of the whole system.
When a site presents its certificate, the browser follows the signatures upward. The site certificate was signed by an intermediate, the intermediate was signed by a root, and the root is on the trusted list. If the chain reaches a trusted root, the padlock appears. If it does not reach one, you get a full-page warning, which is exactly what happens with a self-signed certificate.
Getting onto that root list is hard and staying on it requires ongoing audits. Authorities that have misbehaved have been removed by browser makers, and losing that trust effectively ends the business.
Let's Encrypt changed everything
Certificates used to cost money and involve paperwork, so plenty of small sites simply went without.
Let's Encrypt made free, automated certificates normal. That was a genuinely good thing. Encryption stopped being a line item and became the default, and today most hosts and platforms provision and renew certificates for you without being asked. On cPanel hosting, Let's Encrypt is the default AutoSSL provider for new installations.
It also had a side effect worth being honest about. When certificates are free and instant, scammers get them too. That is precisely why a padlock is no longer a signal of a serious business, and why we never treat one as evidence of anything more than an encrypted connection. Our guide on whether HTTPS means a website is safe covers the rest.
What a CA actually checks
Less than most people assume, at the free tier.
- →Domain validated certificates, the common free kind, prove one thing: whoever asked controls the domain. Not who they are. Not whether the business is real.
- →Organisation validated and extended validation certificates involve real vetting of the organisation, but browsers no longer display them differently in any way shoppers notice.
- →No CA at any price checks whether a shop ships its orders, answers its email, or is run by honest people. That was never the job.
Platforms rotate between authorities
You usually do not get to pick your CA, and it can change without warning. Shopify issues from letsencrypt.org, pki.goog and ssl.com. Webflow uses Let's Encrypt and Google Trust Services. Squarespace uses Let's Encrypt.
This matters for one specific reason: CAA records. A CAA record is a DNS record naming which authorities are allowed to issue certificates for your domain. Write a strict one that names a single authority, and the day your platform rotates to a different one, renewal fails and your site goes down with a certificate warning.
So if you publish a CAA record on a hosted platform, list every authority your platform uses, or do not publish one at all. Over-strict is worse than absent here.
What to take from this
The CA system does its job well. It makes encryption trustworthy and it is the reason your browser can tell a real connection from an impersonated one.
What it does not do, and never claimed to do, is tell you whether the people behind a website deserve your money. Want to know what your own domain looks like from the outside? Run a free check.
We have step by step instructions for every major platform, including the ones that will not let you.
See how to fix certificate problems