Member-only story
How Browsers Verify Digital Certificates — Part 1
How signature verification works at a low level
This is part 1 of a 2 part series where we look at how a digital certificate’s signature is verified.
In this article, we’ll look at how we can extract the public key from a root CA certificate, and in part 2, we’ll look at how we can use that to verify the signature in a certificate signed by the CA.
You should already have an understanding of asymmetric encryption and the basic idea behind how TLS and digital certificates work.
Certification Path
This is StackOverflow’s digital certificate.
You can find the certificate by clicking on the padlock just before https://stackoverflow.com in your browser, and then click on “Certificate is valid”.
You can see it’s issued by R3, which means the entity called R3 has signed this certificate.
If you click on the Certification Path, you’ll see a chain of certificates:
The top certificate is the root CA (Certificate Authority) certificate and is implicitly trusted. Root CAs are installed along with Windows or with your browser.
The public key from this root CA certificate is used to verify the next certificate in the list, the intermediate CA, which is from a company called R3 Let’s Encrypt.
This certificate issued by R3 contains a public key, which is used to verify the signature of the actual certificate used by StackOverflow (*.stackexchange.com).
