← Lessons

quiz vs the machine

Platinum1780

Security

TLS Certificates And Chains Of Trust

How browsers verify a server's identity through signed certificate chains.

5 min read · advanced · beat Platinum to climb

What TLS Proves

TLS secures a connection with encryption and proves the server's identity using a certificate. The certificate binds a domain name to a public key and is signed by a Certificate Authority the client already trusts.

The Chain Of Trust

  • A browser ships with root certificates from trusted authorities.
  • The server presents a leaf certificate plus any intermediate certificates.
  • Each certificate is signed by the one above it, up to a trusted root.
  • The client validates each signature, the domain match, and the expiry.

What Can Go Wrong

  • An expired or self signed certificate breaks validation and warns the user.
  • A missing intermediate causes some clients to reject an otherwise valid chain.
  • A compromised authority can issue rogue certificates, which certificate transparency logs help detect.

Key idea

TLS proves server identity by chaining a leaf certificate up to a trusted root, so validate every signature, the domain, and expiry along the chain.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a TLS certificate bind a domain name to?

2. Why might a valid leaf certificate still fail to validate?