Any entity can issue its own certificates and become a CA, but most organizations use trusted CA root certificates from commercial entities. Many operating systems, browsers, and mobile platforms have pre-loaded lists of signed root certificates from well-known, trusted CAs. To become a trusted CA, specific criteria, determined by the OS/browser/device, must be met, including backwards compatibility with older browsers, OSs, or devices. CAs issue millions of certificates each year.
Through a man-in-the-middle attack, threat actors can compromise the intergirty of digital certificates. In March 2016, Google published a list of untrusted CAs, those which had been compromised previously, were issued from unknown sources, may have had certificates revoked, or had issued certificates with indications of tampering. DigiNotar and Comodo Group are the most infamous CA hacks, both in 2011, resulting in the issuance of fraudulent certificates. As a result, DigiNotar filed for bankruptcy and shut its doors. Comodo is still operational and continues to be one of the largest issuers of SSL certificates in the world.
Get the DeMISTIfying InfoSec newsletter every Tuesday!