A technical overview of how SSL certificates work

Starting with the moment when Google introduced its campaign called “HTTPS Everywhere”, almost all website owners are talking about SSL certificates. But the fact is that the SSL encryption is still a mystery for many Internet users. In this article, we will explore how SSL Certificates work, from architecture interactions.

The architecture of an SSL certificate

Secure Socket Layers Certificates, better known as SSL Certificates, contain two elements: the certificate itself and the protocol. Even though nowadays we use the Transport Layer Security (TLS) protocol, the term “SSL” is still used when referring to web security protocols. While the SSL protocol is actually the engine of the security encryption and decryption, the certificate ensures the verification of the website’s owner and gives him/her certain permissions.

Certificate Authorities are the exclusive entities that issue SSL certificates and authenticate websites. They grant websites with levels of authentication based on the SSL certificates’ validation types. Domain and Organization validations give the first level of authentication, while the Extended Validation gives websites the second and highest level of authentication. The Certificate Authority signs each SSL certificate with complex digital signatures that confirm its authenticity.

The interaction with SSL certificates

The SSL interaction is based on the “Public Key Infrastructure (PKI)” framework, particularly on its “asymmetric cryptography”. This process uses two specific keys, one called “public” and the other one called “private”. Each key performs only one task: the public key is available for everybody and encrypts the data, while the private key belongs exclusively to the owner and decrypts the data.

The SSL interaction begins with the signing process of the SSL certificate. The website sends an encrypted hash of data using the Certificate Authority’s public key. Then the Certificate Authority uses its private key for decrypting this hash of data. Once the decryption was performed, the obtained hash of data is compared to the original hash. If the two hash codes are equal, then the website is verified and receives its signed SSL certificate.

The same principle applies during the website-user interaction. The user’s browser verifies if your website owns an SSL certificate. If the SSL certificate is present, then the browser first exchanges the information about how to perform the encryption/decryption. It then gets approval from your website ( “TLS handshake”), and only after that the SSL interaction process begins. The browser uses the public key to encrypt the data which it sends, and your website uses its private key to decrypt it. This interaction underlies how SSL Certificates work. It takes place in the background and it is invisible to the users.

The stages of the certification process

We can divide the SSL certification process into two stages: obtaining the SSL certificate, and the website’s further interactions using it. However, you should know that both stages function on the public/private key infrastructure. The public key encrypts the information and the private key decrypts it.

This is what the SSL certificate does to enhance the security of your website and protect your users from cybercriminals and threats. Now that you know how SSL Certificates work, you can follow Google’s campaign and contribute to a more secure web by owning an SSL certificate.