Every time you see the padlock icon in your browser's address bar, your browser has performed an invisible trust verification. It checked a digital certificate, validated it against a chain of trusted authorities, and confirmed that the website you are connecting to is who it claims to be. This system is the foundation of secure communication on the web.
What Digital Certificates Are
A digital certificate is essentially an identity card for a website. It is a small file that contains several critical pieces of information:
- The domain name the certificate was issued for (e.g.,
example.com) - The public key used to establish encrypted connections
- The issuer -- which Certificate Authority (CA) vouches for this certificate
- The validity period -- when the certificate was issued and when it expires
- A digital signature from the issuer proving the certificate has not been tampered with
When your browser connects to a website over HTTPS, the server presents its certificate. Your browser then verifies this certificate before establishing an encrypted connection. If anything is wrong -- expired, wrong domain, untrusted issuer -- you get a warning.
The Certificate Authority System
Certificates do not validate themselves. They rely on a hierarchical trust system built on Certificate Authorities (CAs) -- organizations trusted to verify the identity of website operators and issue certificates.
The trust chain works like this:
- Root CAs are the ultimate trust anchors. Their certificates come pre-installed in your browser and operating system. There are roughly 150 root CAs trusted by major browsers. Organizations like DigiCert, GlobalSign, and Sectigo operate root CAs.
- Intermediate CAs are authorized by root CAs to issue certificates on their behalf. This creates a buffer -- if an intermediate CA is compromised, the root CA can revoke it without disrupting the entire system.
- End-entity certificates are the certificates issued to actual websites. They are signed by an intermediate CA, which is signed by a root CA, forming a chain of trust.
Your browser walks this chain: it verifies the end-entity certificate was signed by a trusted intermediate, and that intermediate was signed by a trusted root. If every link checks out, the connection is trusted.
How Certificate Validation Works
When your browser receives a certificate, it runs through several checks:
- Is it expired? Certificates have a fixed validity period, typically 90 days to one year. An expired certificate could mean the site operator forgot to renew, or it could indicate a problem.
- Is the domain correct? The certificate must match the domain you are visiting. A certificate for
example.comis not valid formail.example.comunless it includes a wildcard (*.example.com) or lists additional domains. - Is the issuer trusted? The signing CA must chain back to a root CA in the browser's trust store.
- Has it been revoked? CAs can revoke certificates that have been compromised. Browsers check revocation status using CRL (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol).
Certificate Types
Not all certificates are created equal. They differ in how thoroughly the CA verifies the applicant's identity:
- Domain Validation (DV) -- The CA verifies only that the applicant controls the domain, usually through an email or DNS check. This is the most common type and is what Let's Encrypt issues. It proves you are connected to the right server but says nothing about who operates it.
- Organization Validation (OV) -- The CA also verifies that the organization requesting the certificate is a real, registered entity. This provides more assurance but is not visually distinguished from DV in most browsers.
- Extended Validation (EV) -- The most thorough vetting process, requiring legal documentation and verification of the organization's physical existence. EV certificates once displayed the organization name in a green address bar, but most browsers have removed this visual indicator. The debate continues over whether EV provides meaningful additional security for end users.
The Let's Encrypt Revolution
Before 2015, getting an HTTPS certificate cost money and required manual configuration. This meant only large organizations bothered with HTTPS, and most of the web was unencrypted.
Let's Encrypt changed everything by providing free, automated DV certificates through the ACME (Automatic Certificate Management Environment) protocol. Website operators can obtain and renew certificates with a single command, with no human intervention required.
The impact has been dramatic. HTTPS adoption went from roughly 40% of web page loads in 2015 to over 95% today. Encryption is now the default, not the exception. Let's Encrypt currently serves certificates for hundreds of millions of websites.
Certificate Problems and What to Do About Them
Compromised Certificate Authorities
The CA system has a critical weakness: any trusted CA can issue a certificate for any domain. In 2011, the Dutch CA DigiNotar was compromised, and attackers issued fraudulent certificates for Google, Yahoo, and other major services. These fake certificates were used to intercept the communications of Iranian citizens. DigiNotar was removed from all browser trust stores and went bankrupt.
Certificate Transparency
In response to incidents like DigiNotar, Certificate Transparency (CT) logs were created. Every certificate issued by a CA must now be logged in publicly auditable append-only logs. This means anyone can monitor these logs for unauthorized certificates issued for their domain -- and they regularly do. CT has made fraudulent certificate issuance far more detectable.
What to Do When You See a Certificate Error
If your browser shows a certificate warning, take it seriously. Do not click through it unless you fully understand why the error is occurring. Common legitimate causes include corporate network proxies that inspect HTTPS traffic, or development environments using self-signed certificates. For any public website, a certificate error is a red flag -- navigate away and try again later, or contact the site operator.
The certificate system is not perfect, but it is the trust infrastructure that makes secure web browsing possible. Understanding how it works helps you make better decisions when something goes wrong.