Certificate Authorities Compared: Why Your Own CA with YubiHSM?
A comprehensive comparison of public CAs and self-hosted PKI solutions.
The World's Largest Certificate Authorities
| Rank | CA | Market Share | Headquarters |
|---|---|---|---|
| 1 | Let's Encrypt | 64.1% | USA (ISRG) |
| 2 | GlobalSign | 23.7% | Belgium/Japan (GMO) |
| 3 | Sectigo | 5.9% | USA |
| 4 | GoDaddy Group | 3.9% | USA |
| 5 | DigiCert Group | 1.9% | USA |
Source: W3Techs, December 2025
German Certificate Authorities
| CA | Description |
|---|---|
| D-Trust | Subsidiary of Bundesdruckerei, qualified trust service provider under eIDAS. Focus on healthcare (eHBA, SMC-B), government and critical infrastructure. |
| Deutsche Telekom | T-Systems TeleSec, long-standing provider for enterprise PKI and SSL certificates. |
| Procilon | German security specialist from Saxony, offering certificate management solutions and PKI services for enterprises and public sector. |
Signando CA vs. Internet CAs: The Comparison
| Criterion | Internet CA | Signando CA + YubiHSM 2 |
|---|---|---|
| Key Control | CA generates and stores private keys | 100% under your control in Hardware Security Module |
| Data Sovereignty | Certificate data with third party (often USA) | Completely internal, air-gapped operation possible |
| Dependency | Vendor lock-in, price changes, shutdown risk | Fully independent and self-managed |
| Revocation Risk | CA can revoke certificates at any time | Only your organization decides |
| Certificate Transparency | All public TLS certificates published in CT logs | Internal certificates remain private |
| Audit Trail | At provider, limited visibility | Fully controllable internally |
| Costs | Per certificate and year (EV: €100-500/year) | One-time license + YubiHSM 2 (~€650) |
| Certificate Lifetime | 90 days (Let's Encrypt) to max 1 year | Freely configurable per internal policies |
| Internal PKI | Not intended | Core functionality |
| Offline Operation | Impossible | Native support for air-gap environments |
When Is Your Own CA the Better Choice?
Signando CA is particularly suited for:
- Companies with strict compliance requirements (GDPR, BSI, critical infrastructure)
- Organizations prioritizing digital sovereignty
- Air-gapped environments without internet access
- Internal PKI for devices, employees and services
- Code signing and document signing under your own control
- Developers and DevOps teams needing flexible certificate lifetimes
- Microservices and container environments requiring mutual TLS (mTLS) authentication
- Internal development and test environments requiring valid certificates
Internet CAs make sense for:
- Publicly accessible websites (browser trust required)
- Small businesses without PKI expertise
- Quick setup without own infrastructure
⚠️ When you should NOT use Signando CA:
- Public web servers: Your Signando CA root certificate is not pre-installed in browsers. Visitors to your website would see security warnings because their browsers don't trust your self-generated certificates.
- Public-facing APIs: External clients and partners would need to manually install your root certificate, which is impractical for public services.
- Email S/MIME for external recipients: Recipients outside your organization won't trust certificates signed by your private CA.
For these use cases, you need certificates from a publicly trusted CA whose root certificates are already distributed in browsers and operating systems.
Conclusion
Public CAs like Let's Encrypt or DigiCert fulfill their purpose for publicly accessible web servers. For internal infrastructure, sensitive environments, and everywhere that control, privacy, and independence are critical, your own CA with a Hardware Security Module is the sovereign alternative.
With Signando CA and a YubiHSM 2, you operate your PKI completely under your own control – without dependency on third parties, without data leakage, and without compromises on security.