How Digital Certificates Work

Part 2 of 3

In part 1 of the series, I explained what a digital certificate is and why we need them. In this article, I will attempt to explain how digital certificates work. In describing the Certificate Authority (CA), I hope you remember the International Passport analogy used in Part 1, otherwise, this is a good time for a refresher.

Now let us cover some important concepts:

Certificate Chain

A certificate chain, also known as a certificate chain of trust or certification path, is a hierarchical sequence of digital certificates used in the context of public key infrastructure (PKI) to establish the validity and authenticity of a particular digital certificate. The certificate chain consists of the Root, Intermediate, and End-Entity (leaf) certificate. Each certificate in the chain hierarchy is signed by the entity identified by the next certificate in the chain.

Certificate Authority (CA)

The primary function of a Certificate Authority (CA) is to issue and manage digital certificates used to establish secure communications over networks, typically on the Internet. Digital certificates are used to verify the authenticity of a website, server, or user and to enable secure communication by encrypting data between parties.  

Root Certificate Authority (RA)

RA’s are the highest level of CAs in the certificate hierarchy. The RA signs (guarantees) the Root Certificate, which is at the top of the certificate chain, establishing trust in the entire chain. Root certificates are pre-installed and trusted by default in most operating systems and web browsers.  

Intermediate Certificate

Intermediate CAs are signed by the root CAs and are used to issue end-entity certificates (e.g., SSL/TLS certificates for websites). They provide an additional layer of management and security. However, intermediate certificates are also issued and signed by a CA but are not self-signed. Instead, the signature of the root certificate validates them. Intermediate certificates help the CA delegate the responsibility of issuing certificates, allowing for better scalability and security.  

End-Entity (Leaf) Certificate

At the bottom of the chain is the end-entity certificate, also known as the leaf certificate. This certificate belongs to the entity (e.g., website) that needs to prove its identity. The end-entity certificate is signed by one of the intermediate certificates and is issued directly to individuals, servers, or organizations.

Now that we have discussed some key concepts, the next section explains how certificates are created and used.

Digital Certificate Explained

In the context of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols used for securing web communication, the certificate issued by a CA is known as an SSL/TLS certificate. When you visit a website with “https” in the URL and see a padlock symbol in the browser’s address bar, it indicates that the website has an SSL/TLS certificate installed.

The process of obtaining and using an SSL/TLS certificate involves the following steps:

Step 1 – Certificate Request

An entity (such as a website owner) generates a certificate signing request (CSR), which includes information about the entity’s identity and public key.

Step 2 – Certificate Verification

The CA verifies the identity of the entity requesting the certificate. The CA may use various methods, such as domain validation (checking the ownership of the domain), organization validation (verifying the legal existence of a company), or extended validation (rigorous verification of the organization’s legal status).

Step 3 – Certificate Issuance

After successful verification, the CA issues an SSL/TLS certificate containing the entity’s public key and other relevant information. The certificate is signed with the CA’s private key, establishing the CA’s credibility.

Step 4 – Certificate Installation & Use

The entity installs the SSL/TLS certificate on its web server. When users connect to the website, their browsers verify the certificate’s authenticity using the CA’s public key, ensuring a secure and encrypted connection.

In summary, a trusted SSL/TLS certificate helps users trust the website they are interacting with. It encrypts the data exchanged between the user’s browser and the server, protecting it from eavesdropping and tampering. Certificate Authorities (CA) and Digital Certificates play a crucial role in establishing the foundation of secure communication on the Internet and are essential for maintaining online security and privacy.

Part 3 of this series will explain the importance of protecting the process of generating and managing digital certificates (Certificate Lifecycle Management).

For more information, use our contact form.

Henry Omodara | Chief Technology Officer | Axanto Blogs

Axanto Group Inc. Avatar

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.