Stylized face silhouette with sunglasses and hair

The Role of Certificate Authorities in California’s Digital Signature Security

ByCalNotaryClass.com Posted on Updated on

Digital signatures rely on cryptographic certificates to verify that a document was signed by the person who claims to have signed it, and that the document has not been changed since. Certificate Authorities (CAs) issue these certificates. California law recognizes digital signatures as valid only when they come from providers the Secretary of State has approved. This post explains what CAs do, how California approves them, and what it means for notaries and businesses.

What Is a Certificate Authority?

A CA is a trusted organization that issues digital certificates. These certificates link a person’s identity to a public key. When someone signs a document digitally, their software uses a private key to create the signature. Anyone can verify the signature using the corresponding public key from the certificate.

The system works because the CA verified the signer’s identity before issuing the certificate. Without a trusted CA, there is no way to know whether a digital signature actually belongs to the person named in it.

Why the CA Matters

Web browsers and operating systems come with a built-in list of trusted CAs. Certificates from these CAs are recognized automatically. If a certificate comes from a CA that is not on that list, the browser shows a warning.

Some organizations create their own internal certificates. These work fine inside the company network but fail when used publicly. For external use, you need a certificate from a recognized third-party CA.

California’s Approved CAs

The California Secretary of State maintains a list of approved digital signature certification authorities. Providers on this list have demonstrated that they meet the state’s requirements for:

  • Identity verification: Processes for confirming that the person or organization requesting a certificate is who they claim to be.
  • Key management: Measures to protect private keys from unauthorized access, including hardware security modules and multi-factor authentication.
  • Cryptographic standards: Use of current encryption algorithms and regular security updates.
  • Legal compliance: Adherence to state and federal data protection and privacy laws.

The list is available on the California Secretary of State’s website and is updated as providers are added or removed. The state can remove a provider that fails to maintain these standards.

How CA Approval Works

A CA that wants to operate in California submits an application to the Secretary of State. The application must show that the provider meets the requirements listed above. The state reviews the provider’s identity verification procedures, key storage infrastructure (typically hardware security modules rated at FIPS 140-2 Level 2 or higher), audit history, and business practices.

Approved providers undergo regular third-party audits (usually annual WebTrust or ETSI audits) to maintain their status. These audits verify that the CA still follows its stated security practices. If a CA fails an audit or experiences a security breach, the Secretary of State can suspend or revoke the approval.

What This Means for Notaries

California does not currently allow remote online notarization (RON). Digital signatures are used in business and legal transactions but are not part of the standard notarization process for California notaries. If California implements RON in the future (legislation like SB 696 has been proposed), approved CAs will play a central role in verifying notary identities for electronic notarizations.

For now, notaries perform notarizations in person using physical seals and handwritten signatures. The CA-approved digital signature framework primarily applies to other electronic transactions, not to standard notarial acts. But notaries who understand digital signatures will be better positioned if and when California adopts RON. See our guide to how digital signatures work for the technical background.

Using Approved CAs for Business

Businesses that use digital signatures for contracts, real estate transactions, or other legal documents should use providers from the state’s approved list. This ensures the signatures are recognized as valid and can help prevent fraud.

Using an approved provider also helps with compliance in regulated industries like finance, healthcare, and legal services, where electronic signature rules are strict.

What to Look for When Choosing a CA

  • State approval: Check the Secretary of State’s list to confirm the provider is currently approved, not just that it was approved at some point in the past.
  • Certificate types: Some CAs offer different levels of validation (domain-validated, organization-validated, extended validation). Higher validation levels provide stronger identity assurance.
  • Integration: Make sure the CA’s certificates work with the software you use. Most major CAs support common platforms, but internal or specialized systems may have compatibility requirements.
  • Cost: Prices vary. A basic certificate might cost $20 to $50 per year, while extended validation certificates for organizations can run $200 or more annually.
  • Revocation support: The CA should offer certificate revocation (CRL and OCSP) so compromised certificates can be flagged quickly.

The ESIGN Act and California Law

The federal Electronic Signatures in Global and National Commerce Act (ESIGN Act), passed in 2000, establishes that electronic signatures and records have the same legal effect as paper documents and wet-ink signatures in interstate commerce. California’s Uniform Electronic Transactions Act (UETA), codified in the Civil Code, does the same at the state level.

Neither law requires you to use a CA-approved digital signature specifically. But using an approved provider gives you a stronger position if a signature is ever challenged in court, because you can demonstrate that the signer’s identity was verified by a trusted third party.

Frequently Asked Questions

Can California notaries use digital signatures right now?

No. California notaries currently perform all notarizations in person with physical seals. Digital signatures are not part of the notarization process in California.

Where can I find California’s list of approved CAs?

On the California Secretary of State’s website. The list is updated regularly.

What is the difference between a digital signature and an electronic signature?

An electronic signature is any electronic indication of intent to sign (like typing your name or clicking “I agree”). A digital signature uses cryptographic certificates to verify identity and document integrity. Digital signatures are more secure.

Will California allow remote online notarization?

Legislation has been introduced (SB 696) but has not been implemented yet. Estimates suggest RON could be available around 2030 in California.

Do I need a digital certificate to sign contracts electronically?

Not always. Many electronic signature platforms (like DocuSign) handle the cryptography behind the scenes. But for the highest level of legal assurance, using a CA-approved digital certificate provides stronger verification.

Similar Posts