The Certificate Problem
Aisha was a PKI administrator explaining digital certificates to a new hire. She started with the problem they solved.
"Asymmetric encryption works great," she said. "To send a secret message to the bank, I encrypt it with the bank's public key β only their private key can decrypt it. But how do I know that the public key I'm using actually belongs to the bank? What if a man-in-the-middle substituted their own public key? I'd be encrypting messages for the attacker, not the bank."
The solution was a digital certificate β a document that bound a public key to an identity, signed by a trusted third party called a Certificate Authority. Your browser doesn't just trust any public key claiming to be bank.com. It trusts a public key that a trusted CA has vouched for β a CA whose own certificate is trusted by your operating system or browser.
That chain of trust was the PKI β Public Key Infrastructure.
What's Inside a Certificate: X.509
Aisha pulled up a certificate in the browser's developer tools. "X.509 is the standard format that every TLS certificate uses. Let me walk you through what's in it."
Subject: who this certificate belongs to β bank.com. Subject Alternative Names (SANs): the list of domain names this certificate covers β bank.com, www.bank.com, mobile.bank.com. Issuer: which CA signed this certificate β "GlobalSign Extended Validation CA." Public Key: the actual RSA or ECDSA public key that belongs to this subject. Validity period: not valid before [date], not valid after [date] β certificates expire. Signature: the CA's digital signature over all the above fields β proving the CA verified this binding.
"That signature at the bottom is everything," Aisha emphasized. "The CA computed the hash of all the certificate fields and signed it with the CA's private key. Your browser decrypts that signature with the CA's public key β if the hash matches the certificate contents, the certificate hasn't been tampered with, and the CA genuinely vouched for it."
The Chain of Trust: From Root to Server
"But how does the browser trust the CA?" the new hire asked.
"That's the chain of trust," Aisha said. "Your browser comes with a built-in list of trusted Root CAs β certificate authorities whose root certificates are pre-installed by the browser or OS vendor. Microsoft, Apple, Mozilla, and Google each maintain their own root stores. Root CAs are extremely carefully guarded β their private keys live in HSMs in physically secured facilities."
The typical chain had three levels. Root CA at the top β self-signed, pre-trusted in the browser. An Intermediate CA in the middle β its certificate was signed by the Root CA. The end-entity (leaf) certificate at the bottom β bank.com's certificate, signed by the Intermediate CA. The browser verified the chain: bank.com's certificate signed by the Intermediate CA, Intermediate CA's certificate signed by the Root CA, and the Root CA is in the trusted store.
"Root CAs almost never sign end-entity certificates directly," Aisha explained. "They sign intermediate CA certificates. If an intermediate CA is compromised, it can be revoked β the root CA remains secure and uncompromised. Defense in depth."
How a Server Gets Its Certificate
The new hire asked how bank.com gets its certificate. Aisha walked through the process.
"Bank.com's administrator generates a key pair β a private key and the corresponding public key. They create a Certificate Signing Request β a CSR β which contains the public key and the identity information they're claiming: subject name, SANs, organization. The CSR is signed with the private key β proving they have it β and submitted to the CA."
"The CA validates the request. For a Domain Validation (DV) certificate, they just verify you control the domain β by asking you to put a specific file at a specific URL or add a DNS record. For Organization Validation (OV) or Extended Validation (EV) certificates, they verify the organization's legal existence."
"Once validated, the CA signs the CSR contents with their private key and returns the signed certificate. The server installs the certificate alongside the private key. The private key never goes to the CA β only the public key, in the CSR."
2. Server creates CSR containing the public key and identity claims, signed with the private key
3. CSR submitted to CA for validation
4. CA verifies identity and domain control
5. CA signs the CSR contents with the CA's private key β this is the certificate
6. Signed certificate returned to server β installed alongside private key
The private key is NEVER sent to the CA.
When Certificates Go Bad: Revocation
"What happens when a certificate is compromised before it expires?" the new hire asked. "Or an employee leaves and we need to revoke their certificate?"
"Two mechanisms: CRL and OCSP," Aisha replied.
A Certificate Revocation List was exactly what it sounded like β a list published by the CA of all certificates it had revoked before their expiration dates. Browsers periodically downloaded and cached the CRL. The problem: CRLs grew large, downloads were slow, and there was always a lag between revocation and when a browser updated its cached list.
OCSP β Online Certificate Status Protocol β was real-time. Instead of downloading a whole list, the browser queried the CA's OCSP responder with just the certificate's serial number: "Is this certificate still valid?" The responder answered: "Good," "Revoked," or "Unknown." Real-time verification, but it required a network request per connection, added latency, and exposed which sites you visited to the CA.
OCSP Stapling solved the latency and privacy problems. The server queried the OCSP responder itself, received a time-stamped OCSP response (signed by the CA), and included it in the TLS handshake. The client received the certificate AND the CA's signed statement that it was valid β no extra round trip to the CA required.
Wildcard Certificates, SANs, and Heartbleed
"We have a dozen subdomains," the new hire noted. "Do we need a separate certificate for each?"
"Two options," Aisha said. "A wildcard certificate covers one subdomain level with an asterisk: *.bank.com covers www.bank.com, mobile.bank.com, api.bank.com β any single label. But it doesn't cover sub-sub-domains like staging.api.bank.com."
"The other option is a Subject Alternative Name certificate β you list every specific domain the certificate covers. More flexible β can cover different domains entirely, not just subdomains. Most modern certificates use SANs."
Aisha brought up one more critical topic: the Heartbleed vulnerability of 2014. A bug in OpenSSL's implementation of the TLS heartbeat feature allowed an attacker to request that the server send back memory contents β up to 64KB at a time. That memory could contain the server's private key, session keys, usernames and passwords β essentially everything in the server's memory. Millions of servers were vulnerable.
"After Heartbleed, every affected organization had to: patch OpenSSL, revoke all existing certificates (because private keys may have been stolen), generate new key pairs, and request new certificates. The revocation systems were overwhelmed β this was a case study in why certificate revocation infrastructure matters. If you can't revoke and replace certificates quickly, private key compromises become catastrophic."
Trust chain: Root CA (pre-trusted) β Intermediate CA β End-entity certificate.
CSR: Private key stays on server. Public key + identity goes to CA in CSR. CA signs it back.
Revocation: CRL (list, cached, delayed) | OCSP (real-time, one query) | OCSP Stapling (server pre-fetches, staples to TLS handshake).
Types: Wildcard (*.example.com, one level) | SAN (explicit list of domains).
Heartbleed (2014): OpenSSL bug exposing server memory including private keys β required mass certificate revocation and reissuance.