A certificate (really a digital certificate) is a blob of encrypted data generally used for two purposes:
- To confirm the identity of a website, server, or person.
- To encrypt data exchanged with that website, server, or person.
How certificates work
Using a website as an example:
A website owner applies for a certificate from someone authorized to issue certificates, known as a certificate authority, or CA. Typically, the CA does some sort of check to verify that the person asking for the certificate is indeed the owner or authorized by the owner of the website.
The certificate contains:
- A public key of a key pair created specifically for the website.
- Additional data that is digitally signed by the the CA using the CA’s private key. (This is a different key pair than that assigned to the website.)
The website owner also receives the private key for the website that matches its public key.
Conceptually, at a very high level, when a web browser connects to an https site:
- The server digitally signs the certificate using the server’s private key. This results in the certificate having been signed twice: once by the CA when issued, and again by the server.
- The server sends the signed certificate to the browser.
- The browser first validates the CA’s signature of the certificate using its own built-in list of trusted “root certificates”. This validates that the certificate could only have been issued by that trusted CA, could not have been altered, and contains the confirmed public key that was assigned to that server when the certificate was issued.
- The browser then validates the server’s signature of the certificate. This validates that the server which signed it is the server which was given the private key at the time that the certificate was issued. In other words, this validates that the server being communicated with is indeed the server to which the certificate was properly assigned.
- The server’s public and private keys are then used to establish encryption of the data being exchanged thereafter.
It’s important to realize that overall security of certificates and certificate authorities relies on keeping private keys private – both that of the CA itself, and the private keys issued to individual websites.