A certificate authority (CA) is a third-party organization with 3 main objectives:
1. Issuing certificates.
2. Confirming the identity of the certificate owner.
3. Providing proof that the certificate is valid.
You might have heard of Symantec, Comodo, or Let's Encrypt, among others.
Becoming a CA is an intense task of security requirements and audits.
You need to be trusted to be accepted into a root store.
A root store is basically a database of trusted CAs.
Apple, Windows, and Mozilla run their own root stores that they pre-install in your computer or device.
Which certificate should you buy? You have basically 3 flavors.
Domain validated. The certificate just verifies the domain name, and nothing else. You probably need this one.
Organization validated. The certificate requires the validation and manual verification of the organization behind the certificate.
Extended validation. The certificate requires an exhaustive verification of the business.
All valid certificates result in the browser displaying a secure badge in the browser bar. EV certificates generally display the company name as well.
But how do certificates get validated?
When a CA issues a certificate, they sign the certificate with their root certificate pre-installed in the root store.
Most of the time it's an intermediate certificate signed with a root certificate.
If a cat-astrophy would occur and the root certificate is compromised, it's easier to revoke the intermediate certificates, since the root certificates are installed on each device.
Let's walk through how a certificate is validated. The process is based on a 'chain of trust'.
Your browser connects to a site via HTTPS and downloads the certificate.
The certificate is not a root certificate.
Your browser downloads the certificate that was used to sign the certificate on the site.
But this certificate is still not the root certificate.
Your browser once more looks up the certificate that signed the intermediate certificate.
It's the root certificate! Yay!
The entire certificate chain is trusted, and thus the site certificate is trusted as well.
In the event that the last certificate is not a root certificate, and there are no more certificates to download, the chain is untrusted.
But why use a certificate authority when you can self-sign your certificates?
A self-signed certificate provides the same level of encryption as one generated by an authority.
No crabs can spy on your data.
And there is no charge to self-sign your certificates!
Yes, but almost every browser checks that the certificate is issued by a trusted authority.
As such visitors are warned that the certificate cannot be trusted.
Self-signed certificates can be useful for testing, and intranets, but you should avoid using them on public sites.
Self-signed certificates can be forged. Basically, they say 'Trust me, it's me, I promise!'.
A trusted certificate says: 'Trust me, an authority verified me'.
Talking about trust. Thank you for trusting us through this story.
Unfortunately, it is coming to an end.
We hope you enjoyed this comic!
See you soon!
Hey, you did it!
You finished the comic! Thanks from the bottom of of our cat paws for spending some of your day reading about HTTPS.
We propose three activities to distract you from the fact that there is not another episode to read.
1. Take the quiz
To make it up to you, you can test your brand hot knowledge of HTTPS in a quiz. Yes, that's right. We even send you a certificate of completion if you score high enough.
If you enjoyed the comic, and need an SSL certificate to secure your site, or a rock solid and easy-to-use DNS (not our words), or a brand new fancy domain, have a look at us.
P.S. If you want to suggest a new episode (please no, because we'll have to update this page) or give us feedback about the existing ones, we are all cat hears.
