How does your browser knows that the TLS certificate presented by the web server is a legit one signed by a trusted C.A ?

Introduction 

When you browse the web, you might have noticed that some websites have a padlock icon in the address bar, indicating that they are secure. This security is provided by TLS (Transport Layer Security) encryption, which ensures that your data is transmitted securely over the internet. However, how does your browser know that the TLS certificate presented by the web server is a legitimate one signed by a trusted Certificate Authority (CA)? In this article, we will discuss how web browsers determine if a TLS certificate presented by a web server is legitimate and has been signed by a trusted Certificate Authority (CA).

Prerequisites: A fundamental understanding of web browsers, Certificate Authorities, TLS certificates, and digital authentication process is necessary.

Let’s Go !

Each Certificate Authority has set of key pairs(Private and Public Keys). The Certificate Authority uses their private key to sign the Certificate, all the public keys are all built-in all the browsers. The browsers uses the public key of the Certificate Authority to validate the certificate was actually signed by the Verified Certificate Authority themselves.

When a web server presents a TLS certificate to a browser, the browser needs to verify that the certificate is legitimate and has been signed by a trusted certificate authority (CA). Here is a simplified overview of the process:

1. The browser checks if the certificate presented by the server is valid: It verifies that the certificate has not expired, the domain name in the certificate matches the one in the URL, and the certificate is issued by a trusted CA.
2. The browser checks if the certificate has been issued by a trusted CA: The browser has a list of trusted CAs that it uses to verify the certificate. If the CA that issued the certificate is not on this list, the browser will display an error message indicating that the connection is not secure.
3. The browser verifies the signature of the certificate: The certificate contains a digital signature that has been created using the CA’s private key. The browser checks this signature using the CA’s public key, which is stored in the browser’s certificate store. If the signature is valid, the browser knows that the certificate was issued by the trusted CA.
4. The browser establishes a secure connection: Once the certificate has been verified, the browser and server negotiate a session key to be used for encrypting the communication. This key is used to encrypt and decrypt data sent between the browser and server, ensuring that it cannot be intercepted by third parties.
5. If all of the above checks pass, your browser displays a lock icon in the address bar and allows you to safely access the website using HTTPS.

In summary, your browser uses a combination of checks and verification processes to ensure that the TLS certificate presented by a web server is legitimate and has been signed by a trusted CA. This helps to protect your online security and privacy by encrypting your connection to the website and preventing attackers from intercepting or tampering with your data.