Public and private trust certificates are types of SSL/TLS certificates that are formatted to suit different use cases. Entrust Datacard issues SSL/TLS certificates to meet both the public and the private trust models. But what is the difference between these models?

Public Trust Model for SSL/TLS Certificates

Publicly trust SSL/TLS certificates are used for public-facing website projects (e.g., websites, landing pages, microsites, etc.) and are needed in order to avoid browser warnings. A public certificate can be used to secure either server-to-client or server-to-server communication and can only be issued by a trusted certification authority (CA).

Trust is key to the usefulness of public SSL/TLS certificates. In the public trust model, CAs anchor their root certificates to the trust hierarchy chain found in various browsers – Safari, Chrome, Microsoft, Mozilla, and Firefox, and in most cases, operating system vendors -- Windows OSX, iOS and Android. These root certificates essentially symbolize that the CA will manage and issue certificates in accordance with policies established by the CA/Browser Forum an industry standards group. The policy is governed by the browsers and vendors that distribute the root certificates to the people who use their platforms (users). This indicates to their users that an SSL/TLS certificate was issued to the domain owner by a trusted CA and that the data that gets transacted will be encrypts to provide transactional security. Speciality certificates like document or code signing require trust with software vendors like Adobe or Oracle.

CA-issued certificates that are trusted by a root CA in the public trust system must comply with the policies established by the browsers and/or software vendors. The software vendors may publish their own policies or they may require the CAs to comply with the CA/Browser Forum requirements. These policies are continually monitored for security weaknesses and updated to keep the SSL/TLS ecosystem strong and prevent harm to the user community. With the help of their trusted CA, certificate holders can maintain compliance with new and emerging policy changes to avoid service interruption.

Private Trust Model for SSL/TLS Certificates

Private certificates are used to secure any internal network and can be issued by either a trusted CA or any organization that runs their own internal PKI. They can only secure server-to-server communication for IP addresses and non-registered domains – in other words, URLs that can only be seen by a contained user group.

The private trust model does not require CAs to anchor their root certificates to the trust hierarchy for browsers or software vendors, and are therefore not trusted by them. CAs can establish and manage their own certificate policies for private certificates providing more flexibility for internal IT environments.

The private trust model is typically used with enterprise CAs. In this case, the enterprise has created its own private dedicated CA, which can be used to provide trust for employees, partners, enterprise servers, etc. The enterprise can then issue private certificates for internal use and creates their own guidelines.

Entrust Datacard also provides Private Trust SSL/TLS certificates to its many subscribers from one CA. In the private trust model, Entrust Datacard establishes the policy for private certificates to ensure that all subscribers are secure.

The advantage of a Private Trust SSL/TLS certificate is that it provides flexibility for internal IT environments that are not acceptable to the public trust model. Private certificates can 1) be used to secure unregistered domain names, 2) have a longer validity period (up to 39-months), and 3) avoid frequent changes caused by public policy updates.  Other than specific exceptions, the private dedicated CAs are run at the same security level as publicly trusted CAs. This includes abiding by the same verification methods and undergoing an annual audit to ensure that they are in compliance with the policies established for the private trust model.

To sum it up, public SSL/TLS certificates are needed for digital projects that can be viewed publicly -- by anyone surfing the internet or other user community. Whereas, private trust provides a secure service for internal IT environments that gives certificate subscribers more time to evolve their systems to the more stringent requirements needed for public trust.

7-Part Blog Series

  1. SSL/TLS 101 – Why Do I Need an SSL/TLS Certificate
  2. SSL/TLS Certificate Types – Choosing the Right One for Your Use Case
  3. SSL/TLS Verification – Digital Identity for Your Website
  4. What is a SAN (Subject Alternative Name) and how is it Used?
  5. What is a CSR and How Do I Get One?
  6. What's the Difference between a Public and Private Trust Certificate?
  7. How to Build an SSL/TLS Certificate | The Five Simple Steps That Bring You to HTTPS

Additional Resources

How to Identify an Authentic Website
How Does SSL/TLS Work?
Bi-Weekly Certificate Management Demo

Bruce Morton

Bruce Morton

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.