DigiCert Secures the Web With TLS Certificates. The Certificate Model Has Structural Limits.
by Nick Clark | Published March 28, 2026
DigiCert is one of the world's largest certificate authorities, issuing TLS certificates that secure millions of websites, IoT devices, and digital transactions. The certificate chain of trust from root CAs through intermediates to end-entity certificates provides the web's identity infrastructure. But this chain depends on stored key material at every level. A compromised root CA key undermines the entire trust hierarchy below it. The structural gap is between certificate-chain identity and an identity model where trust derives from behavioral continuity rather than hierarchical key material.
DigiCert's investment in certificate infrastructure, CT log participation, and post-quantum preparedness demonstrate commitment to web security. The gap described here is about the certificate model's structural properties, not about DigiCert's operational excellence.
Trust hierarchy concentrates authority
The certificate trust model places root certificate authorities at the top of a hierarchy. Everything below depends on the root's key material. A compromised root CA key or a misbehaving intermediate CA can issue fraudulent certificates for any domain. Browser trust stores contain hundreds of root CAs, each of which is trusted to vouch for any domain on the internet.
Certificate Transparency logs provide post-hoc detection of misbehavior but do not prevent it. The trust model allows any trusted CA to issue a certificate for any domain. The authority is structurally concentrated at the roots.
Short-lived certificates reduce but do not eliminate the problem
The industry trend toward shorter certificate lifetimes reduces the window during which a compromised certificate can be misused. But shorter lifetimes mean more frequent issuance, increasing the operational surface and the number of interactions with the CA infrastructure. The fundamental model remains: identity is a credential issued by a hierarchical authority.
What keyless identity addresses
Keyless identity removes the hierarchical trust model. A server's identity derives from its accumulated behavioral continuity, not from a certificate issued by a CA. Trust is validated through the server's own trust slope history, not through a chain of signatures from root to intermediate to end entity. No CA compromise can undermine the identity because the identity does not depend on a CA.
TLS certificates could coexist with keyless identity through a hybrid model during transition, providing backward compatibility while the identity primitive shifts from hierarchical certificates to behavioral continuity.
