If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Digital certificates

The TLS protocol relies on public key encryption. The sending computer uses the public key of the receiving computer when encrypting data. Before that happens, though, TLS requires a step that is crucial to its security: the sender must verify the identity behind the public key.
A digital certificate, also known as a public key certificate or identity certificate, proves the ownership of an encryption key.

The need for certificates

What would happen if TLS did not include a certificate verification step?
Attackers have come up with ways to intercept a request from one computer to another computer on the Internet, such as through rogue access points.
From here, they can launch a man-in-the-middle (MITM) attack. Even though it's called a "man" in the middle attack, attackers come in all ages and genders. You can also think of it as a "masquerader in the middle".
First, during the process of setting up a secure connection with TLS, an attacker sends the client their own public key instead of the server’s public key.
Illustration of active interception of a TLS packet over a rogue access point. There's a server on the left and a laptop labeled "Client" on the right. The top area is labeled "What the client thinks happens". It contains an arrow that is labeled with a green encryption key that goes from to the server to an access point labeled "legitimate access point". Another arrow is labeled the same way and goes from the legitimate access point to the client. The bottom area is labeled "What actually happens". It contains an arrow that is labeled with a green key that goes from the server to an attacker labeled "rogue access point". Another arrow is labeled with a red key that goes from the rogue access point to the client.
After that, whenever the client encrypts data with the received public key, they're instead encrypting data with the attacker’s public key. The attacker can then decrypt the encrypted message, change it however they'd like, and re-encrypt it with the server’s public key before sending the data to the server.
Illustration of active interception of a TLS packet over a rogue access point. On the left, a laptop has a website open with a filled-out amount field. There's a server on the right. The top area is labeled "What the client thinks happens". It contains an arrow that is labeled with a green encryption key and "Account ID: 25" that goes from to the laptop to an access point labeled "legitimate access point". Another arrow is labeled the same way and goes from the legitimate access point to the server. The bottom area is labeled "What actually happens". It contains an arrow that is labeled with a red key and "Account ID: 25" that goes from the laptop to an attacker labeled "rogue access point". Another arrow is labeled with a green key and "Account ID: 12" that goes from the rogue access point to the server.
To prevent a MiTM attack, the client needs to check the identity behind a public key. A digital certificate shows the identity behind a public key. However, if anyone can make them, how can a client trust the legitimacy of a digital certificate? In TLS, clients trust a digital certificate if it was generated by institutions known as certificate authorities.

Certificate authorities

A server that wants to communicate securely over TLS signs up with a certificate authority. The certificate authority verifies their ownership of the domain, signs the certificate with their own name and public key, and provides the signed certificate back to the server.
A made-up certificate that resembles certificates given to people that earn awards. The top says "Certificate of Authenticity". Under that, it says "This acknowledges that khanacademy.org is the proud owner of this public key:" and then has a long hexadecimal string. At the bottom, a line for the signature is labeled "Certificate Authority" and has the signature "GoDaddy Certificate Authority." Another line is labeled "Valid Dates" and has "10/14/2018 - 11/18/2020".
When the client inspects the certificate, it can see that a certificate authority is vouching for the authenticity of the public key. But it still has a decision to make: does it trust that certificate authority?
Clients generally come bundled with a list of trusted certificate authorities. For example, an Apple iPhone running iOS 10 trusts this list of certificate authorities.
Apple users then have to trust Apple to continually monitor that list to make sure each certificate authority is verifying domains properly.
You can imagine a chain of trust from the user to the server:
An illustration of the certificate chain of trust. Starts with an icon labeled "user" on the left. There's an arrow labeled "trusts" from user icon to an icon of a smartphone labeled "client" . Another arrow labeled "trusts" flows from client icon to an icon of a computer labeled "certificate authority". A final arrow flows from certificate authority icon to an icon of a computer labeled "server".
At each point, trust can be broken. If the user doesn't trust the client, they can override the client's default list of trusted certificate authorities. If a client no longer trusts a certificate authority, it will remove it from the list. If a certificate authority sees suspicious behavior from a server, it can revoke its certificate.

Intermediate certificate authorities

There are actually multiple levels of certificate authorities: the root certificate authority and intermediate certificate authority.
The root CA does not actually directly issue any digital certificates for servers. It only issues digital certificates for intermediate CAs that act on its behalf. The intermediate CAs can either issue digital certificates for another intermediate CA, or for a server directly.
Thus, there is another chain of trust, from the root CA to the server:
An illustration of the certificate authority chain of trust. Starts with a server icon labeled "Root CA" on the left. There's an arrow labeled "trusts" from that icon to another server icon labeled "Intermediate CA" . Another arrow labeled "trusts" flows from that icon to another server icon labeled "Intermediate CA". A final arrow labeled "trusts" flows from that icon to a server icon labeled "Server".
The layers of certificate authorities increase the security of the system. If a root CA discovers that an intermediate CA has been compromised by an attacker, they invalidate the certificates from that CA but continue trusting the certificates from their other intermediate CAs.
🔍 You can see the chain for yourself when you check the certificate for a secured website in the browser. If you click the lock next to the URL, the browser should offer a way to inspect the certificates.
Screenshot of certificates issued for Khan Academy website. Shows a nested list with "GlobalSign Root CA" at the top, then "GlobalSign CloudSSL CA", then "khan.map.fastly.net".
The chain of trust for KhanAcademy.org includes one intermediate CA.

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?

  • blobby green style avatar for user Sean Link
    What is stopping a Man in the middle from "forging the signature" on these certificates?
    (24 votes)
    • blobby green style avatar for user Abhishek Shah
      Excellent question. One of the requirements of the sign/verify operations in cryptography is to prevent signature forgeries. A common way to achieve this is to "re-interpret" public key encryption (covered in this Online Data Security section).

      You can informally view public-key encryption as using two building blocks: make_one_way_hard (i.e. use the private key) and make_reverse_way_easy (i.e. use the public key).

      1) In public-key encryption, decrypting an encrypted message is hard without the private key. So, make_one_way_hard corresponds to this decryption. On the other hand, it is easy to encrypt a message with the public key. make_reverse_way_easy corresponds to this encryption. In other words, decryption is one way, and the reverse direction is encryption.

      2) For authentication (i.e. sign/verify operations), forging a message is hard without the private key. So, make_one_way_hard corresponds to this sign (e.g. decrypt from (1) ). On the other hand, it is easy to verify a signature with the public key.

      Math is often independent of the application. For example, 2x=4 represents a setting where x can correspond to finance (dollars), astronomical(planets), or biological (hair cells) applications. Indeed, the math used for the applications of public-key encryption or signature schemes can look quite similar.

      Of course, this is a simplifying analogy, but I hope it provides a new way to think about public-key encryption.
      (24 votes)
  • duskpin ultimate style avatar for user Shlok Mamidi
    Does not having a certificate mean that the website uses rogue access points?
    (6 votes)
  • blobby green style avatar for user dreynolds4579
    I'm not sure I completely understand what the job of the public and private keys are for when transferring data on the internet
    (3 votes)
    Default Khan Academy avatar avatar for user
  • duskpin seedling style avatar for user a.gildar
    Why does the article say Pacific Daylight Time?
    (1 vote)
  • blobby green style avatar for user colton.horrell
    What is the difference between tlc tld
    (2 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user Jingwen
    What will happen if the website certificate expires?
    (2 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user Becca
    A public key is numbers
    (1 vote)
    Default Khan Academy avatar avatar for user
  • piceratops seed style avatar for user CiaraA
    What is stopping a Man in the middle from "forging the signature" on these certificates
    (1 vote)
    Default Khan Academy avatar avatar for user
  • male robot hal style avatar for user Harry Lankshear
    A digital certificate uses the public key information as a part of the certificate right?
    Then doesn't that mean that you could forge a key for a server given that their public key is easily accessible?
    If a certificate is public information couldn't a hacker just copy and paste it and use it as their own? Or does it actually have to communicate with a CA server to check for legitimacy every time?
    (1 vote)
    Default Khan Academy avatar avatar for user
    • starky ultimate style avatar for user KLaudano
      Since private keys are required to sign certificates, an attacker cannot forge certificates with the public key alone. Furthermore, the public key cannot be used to decrypt messages. So, if an attacker pretended they owned a certificate and sent it out to other people, they would not be able to decrypt any messages they received.
      (1 vote)
  • starky ultimate style avatar for user Sebaztian
    The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature's God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

    We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.--That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, --That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security.--Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world.

    He has refused his Assent to Laws, the most wholesome and necessary for the public good.

    He has forbidden his Governors to pass Laws of immediate and pressing importance, unless suspended in their operation till his Assent should be obtained; and when so suspended, he has utterly neglected to attend to them.

    He has refused to pass other Laws for the accommodation of large districts of people, unless those people would relinquish the right of Representation in the Legislature, a right inestimable to them and formidable to tyrants only.

    He has called together legislative bodies at places unusual, uncomfortable, and distant from the depository of their public Records, for the sole purpose of fatiguing them into compliance with his measures.

    He has dissolved Representative Houses repeatedly, for opposing with manly firmness his invasions on the rights of the people.

    He has refused for a long time, after such dissolutions, to cause others to be elected; whereby the Legislative powers, incapable of Annihilation, have returned to the People at large for their exercise; the State remaining in the mean time exposed to all the dangers of invasion from without, and convulsions within.

    He has endeavoured to prevent the population of these States; for that purpose obstructing the Laws for Naturalization of Foreigners; refusing to pass others to encourage their migrations hither, and raising the conditions of new Appropriations of Lands.

    He has obstructed the Administration of Justice, by refusing his Assent to Laws for establishing Judiciary powers.

    He has made Judges dependent on his Will alone, for the tenure of their offices, and the amount and payment of their salaries.

    He has erected a multitude of New Offices, and sent hither swarms of Officers to harrass our people, and eat out their substance.

    He has kept among us, in times of peace, Standing Armies without the Consent of our legislatures.

    He has affected to render the Military independent of and superior to the Civil power.

    He has combined with others to subject us to a jurisdiction foreign to our constitution, and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:

    For Quartering large bodies of armed troops among us:

    For protecting them, by a mock Trial, from punishment for any Murders which they should commit on the Inhabitants of these States:

    For cutting off our Trade with all parts of the world:

    For imposing Taxes on us without our Consent:

    For depriving us in many cases, of the benefits of Trial by Jury:

    For transporting us beyond Seas to be tried for pretended offences

    For abolishing the free System of English Laws in a neighbouring Province, establishing therein an Arbitrary government, and enlarging its Boundaries so as to render it at once an example and fit instrument for introducing the same absolute rule into these Colonies:

    For taking away our Charters, abolishing our most valuable Laws, and altering fundamentally the Forms of our Governments:

    For suspending our own Legislatures, and declaring themselves invested with power to legislate for us in all cases whatsoever.

    He has abdicated Government here, by declaring us out of his Protection and waging War against us.

    He has plundered our seas, ravaged our Coasts, burnt our towns, and destroyed the lives of our people.

    He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation and tyranny, already begun with circumstances of Cruelty & perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation.

    He has constrained our fellow Citizens taken Captive on the high Seas to bear Arms against their Country, to become the executioners of their friends and Brethren, or to fall themselves by their Hands.

    He has excited domestic insurrections amongst us, and has endeavoured to bring on the inhabitants of our frontiers, the merciless Indian Savages, whose known rule of warfare, is an undistinguished destruction of all ages, sexes and conditions.

    In every stage of these Oppressions We have Petitioned for Redress in the most humble terms: Our repeated Petitions have been answered only by repeated injury. A Prince whose character is thus marked by every act which may define a Tyrant, is unfit to be the ruler of a free people.

    Nor have We been wanting in attentions to our Brittish brethren. We have warned them from time to time of attempts by their legislature to extend an unwarrantable jurisdiction over us. We have reminded them of the circumstances of our emigration and settlement here. We have appealed to their native justice and magnanimity, and we have conjured them by the ties of our common kindred to disavow these usurpations, which, would inevitably interrupt our connections and correspondence. They too have been deaf to the voice of justice and of consanguinity. We must, therefore, acquiesce in the necessity, which denounces our Separation, and hold them, as we hold the rest of mankind, Enemies in War, in Peace Friends.

    We, therefore, the Representatives of the united States of America, in General Congress, Assembled, appealing to the Supreme Judge of the world for the rectitude of our intentions, do, in the Name, and by Authority of the good People of these Colonies, solemnly publish and declare, That these United Colonies are, and of Right ought to be Free and Independent States; that they are Absolved from all Allegiance to the British Crown, and that all political connection between them and the State of Great Britain, is and ought to be totally dissolved; and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor.
    (0 votes)
    Default Khan Academy avatar avatar for user