BDO Knows Webtrust For Certification Authorities

Increasing Confidence Through Certification

Certificate Authorities (CA(s)) play a crucial role in information security by being the trusted source of identity verification. These organizations use public key infrastructure (PKI) and digital certificates to signify identifies for a wide range of organizations, devices and individuals. The CA is responsible for setting roles, policies and procedures necessary in creating, managing, distributing, using, storing and revoking an ecosystem of trusted digital certificates and managing the keys that support them.
By being the trusted source for identity verification, CAs help keep us safe in all our digital interactions. However, as cyber risk continues to grow and evolve, web browser and information security requirements become stricter and more complex. Certificate authorities must stay compliant in this evolving regulatory environment. One way to demonstrate compliance and security best practices is through the WebTrust for Certification Authorities family of engagements.
If you’re interested in offering CA services, you need to understand what WebTrust is and how it can benefit your organization.


What is WebTrust for CAs?

WebTrust for CAs is an audit that ensures a certificate authority is issuing certificates in accordance with its Certificate Policy and Certification Practice Statement. A Certificate Policy and Certification Practice Statement is a document that explains how a specific certificate authority issues and manages certificates and the identify verification process.

Who needs one?

There are generally three types of entities that need a WebTrust for CAs audit:

  • Publicly trusted certificate authorities

  • Cloud providers that offer certificate services

  • Governments that offer certificate services


How to get one?

A public accounting firm or practitioner licensed by the Chartered Professional Accountants of Canada (CPA Canada) can perform a WebTrust for CAs audit.


Investing in a WebTrust for CAs audit offers multiple benefits, including:

  • Inclusion in trust programs

  • Ability to offer a wide range of CA services

  • Increased client confidence

  • Enhanced risk management

  • Improved competitive advantage

  • Streamlined business processes and controls

How We Can Help

BDO has in-depth knowledge of and experience in the CA industry. We focus on virtually all aspects of PKI design and implementation, including:

  • Organization and policy frameworks

  • Systems implementation and integration

  • Governance

  • Accreditation

  • Testing

  • Configuration

Through our extensive involvement in both the WebTrust Task Force and CA/Browser Forum, we offer our clients access to abundant resources to help ensure compliance with their Certificate Policy and Certification Practice Statements. In addition, we offer services assessing compliance with multiple standards, including ISO, PCI and SOC 2. With BDO, you can test once to generate multiple reports and reduce your audit burden.
Want to learn more about WebTrust for CAs? Contact us today.

Have Questions? Contact Us