On This Page
You've seen that SSL/TLS server certificates are integral to the SSL/TLS handshake. They help the client verify that the server is who they appear to be, which helps prevent third parties impersonating the server. But what are certificates, anyway? How are they generated, and why do the clients trust them?
SSL/TLS Server Certificates are small data files that encapsulate information about the server that owns the certificate. This information is verified through a chain of Certificate Authorities that bridge the gap between the authorities that the browser trusts and the authorities that trust the server.
Private or self-signed SSL/TLS certificates are trivial to create. OpenSSL, available for most platforms, allows users to create self-signed SSL/TLS certificates. These consist of a private key and a public key, which a client and server can use to encrypt data and exchange it securely.
The downside to self-signed certificates are that they provide no guarantees of the server's identity. This may not be an issue for corporate networks, where certificates can be exchanged and trusted through internal provisioning.
If anybody can create and self-sign their own certificate, then how is a client (be it a browser or an application hitting an API endpoint) able to verify a server's identity?
On the public internet, trusted certificates are required. Historically, generating these trusted certificates could be expensive. Trust and identity on the web works similarly to meeting individuals in the real world. If somebody wants to verify your identity in person, they may ask for a photo ID generated by a trusted third party, like a government, school or corporate institution. The person verifying your identity trusts that this third party has verified your identity and that your ID cannot be forged.
This is called a chain of trust, and certificates are verified on the web in the same way. Each client has a list of third parties that they trust to verify certificates. These are called root certificate authorities. Microsoft, Oracle, Mozilla, Adobe and Apple maintain lists of trusted root certificate authorities through their own root programs and include these lists in the operating systems and browsers they produce.
Recently there has been an effort to spread adoption of HTTPS by making generating and installing certificates as easy as possible. Amazon Certificate Manager (opens new window) and Let's Encrypt (opens new window) are two certificate authorities who make it easy to create and manage trusted certificates for free.