SSL/TLS Certificate (Digital Certificate) Basics
An SSL/TLS Certificate is a digital file that serves two main purposes: it verifies the identity of a web server and enables encryption for the communication between the server and the client (browser).
This certificate is what transforms an HTTP connection into a secure HTTPS connection.
1. Two Main Roles of an SSL/TLS Certificate
① Server Authentication
The certificate proves that the server the client is connecting to is legitimate and is operated by the actual owner of the domain (e.g., a bank), preventing connection to fake, phishing servers.
- Mechanism: A trusted third party called the Certificate Authority (CA) verifies the server's identity information and digitally signs the certificate. Browsers trust this signature.
② Encrypted Communication
By being part of the Public Key Infrastructure (PKI), the certificate allows the secure exchange of the server's Public Key so that the client and server can establish an encrypted channel.
- Result: It guarantees the confidentiality of all data exchanged (passwords, financial details, etc.).
2. Key Information Contained in the Certificate
An SSL/TLS certificate follows the X.509 standard format and contains essential fields:
| Information | Description | Role |
|---|---|---|
| Subject | The Domain Name (e.g., www.example.com) and organizational details for which the certificate was issued. |
Verifies server identity |
| Public Key | The server's Public Key, used by the client to encrypt data intended for the server. | Basis for encryption |
| Issuer | The name of the Certificate Authority (CA) that issued the certificate. | Source of trust |
| Validity Period | The start and expiration dates when the certificate is valid. | Limits the usage period |
| CA's Digital Signature | A signed value from the CA that guarantees the integrity of the certificate itself. | Prevents tampering |
3. Simplified Working Principle (HTTPS Handshake)
- Client Request: The browser initiates a request for HTTPS communication.
- Certificate Transmission: The server sends its SSL Certificate and Public Key to the browser.
- Certificate Verification: The browser checks if the certificate is signed by a trusted CA and is not expired.
- Secure Channel Establishment: Once verified, the browser uses the Public Key to securely encrypt a Symmetric Key (a faster key for bulk data) and sends it to the server. Both parties then use this Symmetric Key to start the highly efficient, encrypted data transfer.