What is a digital certificate (TLS/SSL certificate)?
4 minbeginnercertificatesx509pki
Quick Answer
A digital certificate is a file that binds a public key to an identity, like a domain name (example.com). It is issued and digitally signed by a trusted Certificate Authority (CA). When your browser connects to a website, the server sends its certificate so the browser can verify the site's identity and get its public key.
Detailed Answer
A TLS certificate is like an ID card for a website. It links a domain name to a public key, and a trusted third party vouches for that link with a signature.
A certificate (in the common X.509 format) mainly contains:
- Subject — who the certificate belongs to, for example
example.com. - Public key — the site's public key, used during the TLS handshake.
- Issuer — the Certificate Authority (CA) that issued and signed it.
- Validity period — a "not before" and "not after" date. Expired certificates are rejected.
- Signature — the CA's digital signature over all the above fields.
When your browser connects to https://example.com, the server sends this certificate. The browser then checks:
- Does the domain name in the certificate match the site you are visiting?
- Is the certificate still within its validity period?
- Was it signed by a CA the browser already trusts?
If all three checks pass:
- The browser trusts the public key inside the certificate.
- The handshake continues.