The SSL Certificate
An SSL certificate is a digital file that binds a cryptographic key to an organization's details. When installed on a web server, it activates the HTTPS protocol and the padlock icon in browsers.
What's Inside a Certificate
An SSL certificate contains several key pieces of information:
- Subject — The domain name and organization the certificate is issued to.
- Issuer — The Certificate Authority (CA) that issued the certificate.
- Public Key — Used for encryption and signature verification.
- Validity Period — The not-before and not-after dates.
- Serial Number — A unique identifier assigned by the CA.
- Signature Algorithm — The algorithm used to sign the certificate.
- SAN (Subject Alternative Names) — Additional domains covered by the certificate.
The Chain of Trust
Browsers trust SSL certificates through a chain of trust:
- Root CA — Pre-installed in browsers/OS. These are the ultimate trust anchors.
- Intermediate CA — Issued by the Root CA. Used to sign end-entity certificates.
- End-Entity Certificate — Your server's certificate, signed by an Intermediate CA.
When a browser receives your certificate, it follows the chain from your certificate up to a trusted Root CA. If every link in the chain is valid, the connection is trusted.
The Handshake Process
During the TLS handshake, the server presents its certificate chain. The client verifies each certificate in the chain, checks expiration dates, validates the signature, and ensures the domain name matches. Once verified, both parties derive session keys and begin encrypted communication.