Digital certificates: why your browser trusts a site

The padlock doesn't appear by magic. Behind it is a chain of signatures —the PKI— that someone has to issue, validate and renew on time. This is how your browser decides who to trust.

You type your bank's address, the padlock appears, and you assume you're talking to who you think. But between your browser and that server there's a network you don't control, full of points where someone could impersonate the site. The real question isn't "is the connection encrypted?", but "am I encrypting with the party I actually want?". That's exactly the question digital certificates —and the infrastructure that backs them, the PKI— exist to answer.

The problem they solve

Asymmetric encryption lets a server publish its public key so anyone can encrypt messages that only it, with its private key, can read. Elegant —but it leaves a gaping hole.

Key concept

Asymmetric encryption lets a server publish its public key, but a question arises that encryption alone does not answer: how do I know that public key is from who it claims to be, and not from an impostor who put themselves in the middle?

A digital certificate answers exactly that: it stamps an identity onto the public key, signed by someone you already trust.

Without certificates, an attacker in the middle of the path could hand you their public key while pretending to be the bank. You'd happily encrypt… straight to the attacker. The certificate is what breaks that trick: it ties the public key to a specific domain and backs it with a verifiable signature.

What a digital certificate is

A digital certificate is an electronic document that binds an identity —a domain, for example bank.com— to its public key, and that is signed by a trusted authority. That stamp is what gives it value: anyone can claim to be bank.com, but not just anyone can produce a valid signature from a recognized authority.

Inside, a certificate mainly contains:

All of that travels in a standard format called X.509 —the same one used by HTTPS, email or code-signing certificates—. You don't need to read it by hand; your browser interprets it for you in milliseconds.

Who signs: Certificate Authorities (CAs)

A Certificate Authority (CA) is an organization that browsers and operating systems trust by default. Its job is to verify requests and sign certificates with its own private key, putting its reputation behind every signature.

Key concept

Your device ships with a preinstalled list of trusted root CAs —the so-called trust store (root store)—. Those roots are the starting point: anything they sign, directly or indirectly, inherits their trust.

That's why trusting a site doesn't require you to have seen it before; it's enough that its certificate descends from a root your system already knew the day you installed it.

You don't curate that store by hand: browser and operating-system vendors maintain it under strict criteria. If a CA misbehaves, they can eject it from the store, and with it every certificate it has signed stops being valid.

The chain of trust

CAs don't sign site certificates directly with their root —that key is too valuable to expose daily—. Instead they set up a chain:

  1. There's a root CA, whose certificate is already on your device and which you trust as a baseline. Its private key is kept with extreme care, offline.
  2. The root signs one or more intermediate certificates. These are the ones operating day to day, shielding the root from exposure.
  3. The intermediates sign the site's certificate —the "leaf"—, which is what the server presents when you connect.
  4. Your browser verifies the chain upward: from the site's certificate to the intermediate, from the intermediate to the root, until it lands on a trusted root.

If a signature doesn't check out at any link, the chain breaks, or the climb ends in a root your device doesn't know, the browser won't trust it. There are no shortcuts: either the chain reaches a trusted root, or it's worthless.

How the browser validates it

When you connect over HTTPS, the server hands you its certificate (and usually the intermediates). Your browser silently runs a checklist before showing the padlock:

  1. It checks the certificate hasn't expired and hasn't been revoked —a CA can invalidate a certificate ahead of time if, for example, its private key leaked—.
  2. It checks the certificate's domain matches the one you're visiting. A certificate for bank.com isn't valid for another-site.com.
  3. It verifies the signature following the chain up to a trusted root, exactly as we saw above.
  4. If it all checks out, it shows the padlock and establishes the encrypted session. If something fails, it shows the "not secure" warning and stops you.

All of this happens during the handshake, before a single byte of the page loads. By the time you see the padlock, those four checks have already passed.

Common mistakes

Common mistake

"The padlock —or the valid certificate— means the company is legitimate or trustworthy." Not necessarily. A DV (domain validation) certificate, the most common one, only proves that whoever requested it controls the domain, not who the organization behind it is. A fraudulent site can hold a perfectly valid certificate for its own domain. The certificate proves domain control and enables encryption; it does not vouch for honesty.

Around that central confusion there are a few other common slips:

The banking angle

In banking, PKI isn't limited to consuming public certificates for customer-facing sites. Behind the scenes, institutions run their own internal PKI so services authenticate to each other before exchanging anything.

Trust on the web isn't magic: it's a chain of signatures someone has to issue, validate and renew on time. The padlock is the visible result of that chain working. In a bank, where each service proves itself to the next, that chain isn't left to chance —it's governed—.

Jorel del Portal

Jorel del Portal

Systems engineer specialized in enterprise software architecture and high-availability platforms in banking and finance.