Public Key Infrastructure

When your browser ran the TLS handshake, the server proved it owned a private key by signing the transcript. But that only proves the server holds some key — it says nothing about whose key it is. An attacker who intercepts your connection can generate a perfectly good key of their own and sign with it just as convincingly. The hard problem is not the maths of signing; it is binding a public key to an identity — to the actual bank.com — in a way you can verify while talking to a stranger you have never met, across a network run by strangers.

The answer the Internet settled on is Public Key Infrastructure (PKI): a global system of certificates, Certificate Authorities, and a chain of trust that reduces the impossible task of "trust a billion servers" to the manageable one of "trust a few dozen roots your browser already ships with." This page is about how that machinery works — the X.509 certificate, how a chain is validated, how a compromised key is revoked, and the modern additions (Certificate Transparency and Let's Encrypt) that patched its worst flaws.

The certificate: a signed statement of identity

A certificate is a small structured document, formatted as X.509, that says in effect: "the public key K belongs to the entity named bank.com, and I, the issuer, vouch for it — here is my signature." The signature is what makes it trustworthy: it is computed over all the other fields, so a single altered byte invalidates it.

X.509 fieldWhat it holds
SubjectWho the cert is for (e.g. CN/O of bank.com)
Subject Public KeyThe public key being bound to that identity
Subject Alt Names (SAN)The DNS names this cert is valid for — the field browsers actually check
IssuerWhich CA signed this cert (points one link up the chain)
ValiditynotBefore / notAfter — the lifetime window
Serial numberUnique ID the issuer assigned (used for revocation)
Basic ConstraintsCA: TRUE/FALSE — may this cert sign other certs?
SignatureThe issuer's signature over all the above

Two subtleties bite people. First, modern browsers ignore the old Common Name for host matching and check only the SAN list, so a cert without a matching SAN entry is rejected even if its CN looks right. Second, Basic Constraints CA: FALSE is what stops a leaf certificate from being abused to sign further certificates — a check whose absence caused real breaches before browsers enforced it.

The chain of trust

No single CA signs every website directly — that would be far too much risk concentrated in one key. Instead trust flows down a chain. Your browser and OS ship a root store: a curated list of a few dozen to a couple hundred root CA certificates, self-signed and implicitly trusted. Everything else earns trust by tracing back to one of those roots.

Why the extra intermediate layer? Because the root's private key is the crown jewels: if it leaked, every certificate under it would be forgeable, and you cannot easily replace a key baked into billions of devices. So the root is kept offline in a vault and used rarely, only to sign intermediates. If an intermediate is compromised, it can be revoked and replaced without touching the precious root. Follow the chain being verified:

// Validate a certificate chain the way a browser does: each cert's issuer // must be signed by the next cert up, dates must be valid, names must match, // and the chain must terminate at a root in the trust store. interface Cert { subject: string; issuer: string; signedBy: string; notBefore: number; notAfter: number; isCa: boolean; sanMatches: string; } const NOW = 2026.5; // pretend "today" const trustStore = new Set(["RootCA-X"]); const chain: Cert[] = [ { subject: "bank.com", issuer: "Intermediate-A", signedBy: "Intermediate-A", notBefore: 2026.0, notAfter: 2026.9, isCa: false, sanMatches: "bank.com" }, { subject: "Intermediate-A", issuer: "RootCA-X", signedBy: "RootCA-X", notBefore: 2020.0, notAfter: 2030.0, isCa: true, sanMatches: "" }, { subject: "RootCA-X", issuer: "RootCA-X", signedBy: "RootCA-X", // self-signed root notBefore: 2015.0, notAfter: 2035.0, isCa: true, sanMatches: "" }, ]; function validate(chain: Cert[], host: string): string { if (chain[0].sanMatches !== host) return "FAIL: leaf SAN does not match host"; for (let i = 0; i < chain.length; i++) { const c = chain[i]; if (NOW < c.notBefore || NOW > c.notAfter) return `FAIL: ${c.subject} expired/not-yet-valid`; const signer = chain[i + 1]; if (signer) { if (c.signedBy !== signer.subject) return `FAIL: ${c.subject} not signed by next cert`; if (!signer.isCa) return `FAIL: ${signer.subject} is not allowed to be a CA`; } } const root = chain[chain.length - 1]; if (!trustStore.has(root.subject)) return "FAIL: chain does not end at a trusted root"; return "PASS: chain valid, host authenticated"; } console.log(validate(chain, "bank.com")); console.log(validate(chain, "evil.com")); // SAN mismatch

Revocation: taking a certificate back

Certificates have an expiry date, but sometimes you must kill one early — a server's private key was stolen, or a cert was mis-issued. Since the certificate is a signed document already copied all over the world, you cannot un-sign it; you need a way to tell the world it is no longer valid. PKI offers two mechanisms, both flawed:

Because revocation is so unreliable, the industry has quietly shifted strategy toward short lifetimes: if a certificate is only valid for 90 days (or, increasingly, weeks), a stolen one becomes worthless soon anyway, and revocation matters less. "Rotate often" is beating "revoke reliably."

The deepest misconception about PKI: people think a valid certificate means the site is safe or reputable. It means only that you are genuinely talking to whoever controls that domain name. A criminal can obtain a perfectly valid, chain-verifying certificate for secure-paypa1.com in minutes, for free, because domain-validated issuance just checks you control the domain — not that you are honest. PKI answers "am I really talking to the owner of this name?" It does not answer "is the owner of this name a good actor?"

A second trap: a self-signed certificate (subject = issuer, no chain to a trusted root) is cryptographically fine but proves nothing about identity — anyone can self-sign any name. That is why browsers reject them with a warning: there is no third party vouching for the binding.

Patching PKI's holes: Transparency and ACME

Classic PKI has a terrifying weakness: any trusted CA can issue a certificate for any domain. There are hundreds of CAs (and their intermediates) in the world's trust stores; a single one that is compromised or coerced can mint a valid google.com certificate, and Google would never know. This is not hypothetical — in 2011 the Dutch CA DigiNotar was hacked and issued fraudulent certificates for Google and others, used to spy on Iranian users; DigiNotar was removed from every trust store and went bankrupt. Two modern additions harden the system:

The other revolution was Let's Encrypt and its ACME protocol (2015). Before it, certificates cost money and were fiddly to install, so most of the web ran plain HTTP. ACME automates the whole dance: your server proves it controls a domain by answering an automated challenge (place this token at a URL, or in a DNS record), and receives a free, short-lived certificate — renewed automatically by a background agent. The result was historic: HTTPS went from a minority of web traffic to the overwhelming majority in a few years. Free, automatic, short-lived certificates are why the padlock is now the default rather than the exception.

It nearly is — the CA model's weakest link really is "the least trustworthy CA in your store." What holds it together is a stack of after-the-fact defences rather than prevention. Certificate Transparency makes mis-issuance visible; browser vendors aggressively distrust CAs that misbehave (Symantec's giant CA business was gradually distrusted by Chrome after sloppy issuance; DigiNotar was killed outright). Some sites once pinned specific keys (HPKP), though that proved too dangerous and was deprecated in favour of CT plus the CAA DNS record, which lets a domain declare which CAs are allowed to issue for it. The system survives not because CAs can't cheat, but because cheating is now loud, punished, and career-ending for a CA.