Understanding Certificates

This page gives a very high-level overview of the terminology and processes for establishing trust and making secure connections between clients and web services.

The Asymmetric Encryption Process

HTTPS communications from a browser implement the Asymmetrical Encryption (or Public Key Encryption) Process

  • The Client will open a connection to the Server
  • The Server sends its Public Server Certificate
  • The Client verifies it the server's certificate
  • The Server and Client Exchanges Keys and secure communications can begin.

Generating a CSR

The most important step in this process is making sure the Client can verify the certificate matches the server it requested the connection to.

The Server does this by making a Public and Private Key Pair; which is essentially the identity of the server.  The Server should NEVER shared the Private Key with anyone else, if it does communications could be intercepted!

Any Server can generate a Key pair, but the client will use a third-party (which it explicitly trusts) to authorize the server is who it says it is; this is called a Certificate Authority (CA).  The CA receives Certificate Signing Requests (CSR) from the Server.  A Certificate Signing Request is a file which is created by a Service that wants be be authenticated.

The CA creates a Public Certificate

The CA will generate the Public Certificate on behalf of the Server, which the Server can use to pass to its clients:

The Client makes a connection

The Client makes a connection and receives the Server's Public Certificate.  It will then check to see if the Certificate can be trusted.  The client will check if the server certificate has an issuer.  If it does the client will check if the issuer's public certificate is stored in it's local truststore.  If the issuer is found, the client can trust that the public server is who it says it is because the Certificate Authority itself is trusted.  A Client will also verify the DNS record for the FQDN matches the CN of the certificate; this is a simply way for the client to make sure the certificate has come from the correct server.

Finally, the the common secret and public keys can be exchanged between client and server and communications can start:

Secure Communications


Other Reading

Paint Analogy

Importing Certificates into FAS







Comments are disabled on these articles if you require help contact support@cafex.com.

Have more questions? Submit a request