When your browser ran the
bank.com — in a way you can verify while talking to a stranger you have never
met, across a network run by strangers.
The answer the Internet settled on is Public Key Infrastructure (PKI): a global system of certificates, Certificate Authorities, and a chain of trust that reduces the impossible task of "trust a billion servers" to the manageable one of "trust a few dozen roots your browser already ships with." This page is about how that machinery works — the X.509 certificate, how a chain is validated, how a compromised key is revoked, and the modern additions (Certificate Transparency and Let's Encrypt) that patched its worst flaws.
A certificate is a small structured document, formatted as X.509, that says in effect:
"the public key bank.com, and I,
the issuer, vouch for it — here is my signature." The signature is what makes it trustworthy: it is
computed over all the other fields, so a single altered byte invalidates it.
| X.509 field | What it holds |
|---|---|
| Subject | Who the cert is for (e.g. CN/O of bank.com) |
| Subject Public Key | The public key being bound to that identity |
| Subject Alt Names (SAN) | The DNS names this cert is valid for — the field browsers actually check |
| Issuer | Which CA signed this cert (points one link up the chain) |
| Validity | notBefore / notAfter — the lifetime window |
| Serial number | Unique ID the issuer assigned (used for revocation) |
| Basic Constraints | CA: TRUE/FALSE — may this cert sign other certs? |
| Signature | The issuer's signature over all the above |
Two subtleties bite people. First, modern browsers ignore the old Common Name for host
matching and check only the SAN list, so a cert without a matching SAN entry is
rejected even if its CN looks right. Second, Basic Constraints CA: FALSE is
what stops a leaf certificate from being abused to sign further certificates — a check whose absence
caused real breaches before browsers enforced it.
No single CA signs every website directly — that would be far too much risk concentrated in one key. Instead trust flows down a chain. Your browser and OS ship a root store: a curated list of a few dozen to a couple hundred root CA certificates, self-signed and implicitly trusted. Everything else earns trust by tracing back to one of those roots.
Why the extra intermediate layer? Because the root's private key is the crown jewels: if it leaked, every certificate under it would be forgeable, and you cannot easily replace a key baked into billions of devices. So the root is kept offline in a vault and used rarely, only to sign intermediates. If an intermediate is compromised, it can be revoked and replaced without touching the precious root. Follow the chain being verified:
Certificates have an expiry date, but sometimes you must kill one early — a server's private key was stolen, or a cert was mis-issued. Since the certificate is a signed document already copied all over the world, you cannot un-sign it; you need a way to tell the world it is no longer valid. PKI offers two mechanisms, both flawed:
Because revocation is so unreliable, the industry has quietly shifted strategy toward short lifetimes: if a certificate is only valid for 90 days (or, increasingly, weeks), a stolen one becomes worthless soon anyway, and revocation matters less. "Rotate often" is beating "revoke reliably."
The deepest misconception about PKI: people think a valid certificate means the site is
safe or reputable. It means only that you are genuinely talking to whoever controls
that domain name. A criminal can obtain a perfectly valid, chain-verifying certificate for
secure-paypa1.com in minutes, for free, because domain-validated issuance just
checks you control the domain — not that you are honest. PKI answers "am I really talking to the owner
of this name?" It does not answer "is the owner of this name a good actor?"
A second trap: a self-signed certificate (subject = issuer, no chain to a trusted root) is cryptographically fine but proves nothing about identity — anyone can self-sign any name. That is why browsers reject them with a warning: there is no third party vouching for the binding.
Classic PKI has a terrifying weakness: any trusted CA can issue a certificate for
any domain. There are hundreds of CAs (and their intermediates) in the world's trust
stores; a single one that is compromised or coerced can mint a valid google.com certificate,
and Google would never know. This is not hypothetical — in 2011 the Dutch CA DigiNotar
was hacked and issued fraudulent certificates for Google and others, used to spy on Iranian users;
DigiNotar was removed from every trust store and went bankrupt. Two modern additions harden the system:
The other revolution was Let's Encrypt and its ACME protocol (2015). Before it, certificates cost money and were fiddly to install, so most of the web ran plain HTTP. ACME automates the whole dance: your server proves it controls a domain by answering an automated challenge (place this token at a URL, or in a DNS record), and receives a free, short-lived certificate — renewed automatically by a background agent. The result was historic: HTTPS went from a minority of web traffic to the overwhelming majority in a few years. Free, automatic, short-lived certificates are why the padlock is now the default rather than the exception.
It nearly is — the CA model's weakest link really is "the least trustworthy CA in your store." What holds it together is a stack of after-the-fact defences rather than prevention. Certificate Transparency makes mis-issuance visible; browser vendors aggressively distrust CAs that misbehave (Symantec's giant CA business was gradually distrusted by Chrome after sloppy issuance; DigiNotar was killed outright). Some sites once pinned specific keys (HPKP), though that proved too dangerous and was deprecated in favour of CT plus the CAA DNS record, which lets a domain declare which CAs are allowed to issue for it. The system survives not because CAs can't cheat, but because cheating is now loud, punished, and career-ending for a CA.