Understanding Certificate Issuers
Learn how to read the Issuer field in SSL certificates to identify the Certificate Authority. Understand issuer DN components, Authority Key Identifier, and how to verify the issuing CA.
Detailed Explanation
The Issuer Field in SSL Certificates
The Issuer field identifies the Certificate Authority (CA) that signed and issued the certificate. It is a Distinguished Name (DN) composed of multiple attributes that together identify the issuing entity.
Issuer DN Components
Issuer:
C = US (Country)
O = Let's Encrypt (Organization)
CN = R3 (Common Name)
Common issuer DN attributes:
| Attribute | Code | Description |
|---|---|---|
| Country | C | Two-letter country code (ISO 3166-1) |
| Organization | O | Legal name of the CA |
| Organizational Unit | OU | Division within the CA (being deprecated) |
| Common Name | CN | Identifier for the specific issuing certificate |
| State/Province | ST | State or province |
| Locality | L | City |
Well-Known Certificate Issuers
# Let's Encrypt
Issuer: C=US, O=Let's Encrypt, CN=R3
# DigiCert
Issuer: C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
# Sectigo (formerly Comodo)
Issuer: C=GB, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
# Google Trust Services
Issuer: C=US, O=Google Trust Services, CN=WR2
Issuer vs Authority Key Identifier
The Issuer DN tells you who signed the certificate, but the Authority Key Identifier (AKI) extension tells you which specific key was used. This is important because a CA may have multiple signing keys:
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
The AKI matches the Subject Key Identifier (SKI) in the issuing CA's certificate. This linkage is how clients build the certificate chain — they match the end-entity's AKI to the intermediate's SKI, then the intermediate's AKI to the root's SKI.
Verifying the Issuer
You can verify that a certificate was actually signed by the claimed issuer:
# Download the issuer's certificate and verify the signature
openssl verify -CAfile issuer-cert.pem server-cert.pem
If the verification succeeds, the certificate was genuinely signed by the issuer's private key.
Issuer and Certificate Transparency
Certificate Transparency (CT) logs record every certificate issued by public CAs. You can search CT logs by issuer to find all certificates a particular CA has issued for your domain. This helps detect unauthorized certificate issuance — if a CA you do not use has issued a certificate for your domain, it could indicate a security incident.
Organizational Unit Deprecation
The CA/Browser Forum deprecated the OU (Organizational Unit) field in September 2022. New certificates should not include OU in the Subject, and CAs are phasing it out from their issuer DNs as well. This change simplifies certificate validation and reduces ambiguity.
Use Case
Identify the Certificate Authority that issued a certificate to verify it comes from a trusted CA, investigate unexpected issuers in Certificate Transparency logs, or match certificates to their signing intermediates.