Certificate Authorities

A certificate authority (CA) is a third-party organization with 3 main objectives:

HOWHTTPS.WORKS
1. Issuing certificates.
HOWHTTPS.WORKS
2. Confirming the identity of the certificate owner.
HOWHTTPS.WORKS
3. Providing proof that the certificate is valid.

You might have heard of Symantec, Comodo, or Let's Encrypt, among others.

Becoming a CA is an intense task of security requirements and audits.
R O O T S T O R E
You need to be trusted to be accepted into a root store.
Let's EncryptSymantecDigiCertGoDaddyComodo
A root store is basically a database of trusted CAs.
R O O T S T O R E
Apple, Windows, and Mozilla run their own root stores that they pre-install in your computer or device.

Which certificate should you buy? You have basically 3 flavors.

HOWHTTPS.WORKS
Domain validated. The certificate just verifies the domain name, and nothing else. You probably need this one.
HOWHTTPS.WORKSFrom DNSimple
Organization validated. The certificate requires the validation and manual verification of the organization behind the certificate.
HOWHTTPS.WORKSdnsimple.com:Theyare fans of avocadotoast and any ice-creamflavor.Some of them think thatItaly should have beenin the 2018 soccer worldcup.
Extended validation. The certificate requires an exhaustive verification of the business.
Certificat, Inc (US)https://howhttps.works

All valid certificates result in the browser displaying a secure badge in the browser bar. EV certificates generally display the company name as well.

CERTIFICATAPPROVED

But how do certificates get validated?

ROOTCERTHOWHTTPS.WORKS
When a CA issues a certificate, they sign the certificate with their root certificate pre-installed in the root store.
ROOTCERTMIDCERTHOWHTTPS.WORKS
Most of the time it's an intermediate certificate signed with a root certificate.
If a cat-astrophy would occur and the root certificate is compromised, it's easier to revoke the intermediate certificates, since the root certificates are installed on each device.

Let's walk through how a certificate is validated. The process is based on a "chain of trust".

HOWHTTPS.WORKS
Your browser connects to a site via HTTPS and downloads the certificate.
HOWHTTPS.WORKS
The certificate is not a root certificate.
HOWHTTPS.WORKSMIDCERT
Your browser downloads the certificate that was used to sign the certificate on the site.
HOWHTTPS.WORKSMIDCERT
But this certificate is still not the root certificate.
HOWHTTPS.WORKSMIDCERTROOTCERT
Your browser once more looks up the certificate that signed the intermediate certificate.
HOWHTTPS.WORKSMIDCERTROOTCERT

It's the root certificate! Yay!

HOWHTTPS.WORKSMIDCERTROOTCERT
The entire certificate chain is trusted, and thus the site certificate is trusted as well.

In the event that the last certificate is not a root certificate, and there are no more certificates to download, the chain is untrusted.

HOWHTTPS.WORKS

But why use a certificate authority when you can self-sign your certificates?

vk7pwbmi+4xSYdNnXO6qPCXBt27J1L7YBqQGjzn0zq+CW9qPdlnnOWqTXPymxtVq+UYomZwlJXtAw6wxQxoBPLktjsbh/swgXZiTpOduoN1UsOH/1kfVKV33QjvUCwCzq+CW9qUnxGEgTL+3...
A self-signed certificate provides the same level of encryption as one generated by an authority.
HE770 - D/_/^^ΓΏ
No crabs can spy on your data.
$$$$$$

And there is no charge to self-sign your certificates!

Yes, but almost every browser checks that the certificate is issued by a trusted authority.

https://howhttps.worksYour connectionisnotsecuredHere be dragons
As such visitors are warned that the certificate cannot be trusted.
HOWHTTPS.WORKS

Self-signed certificates can be useful for testing, and intranets, but you should avoid using them on public sites.

HOWHTTPS.WORKSHOWHTTPS.WORKSHOWHTTPS.WORKSHOWHTTPS.WORKS
Self-signed certificates can be forged. Basically, they say "Trust me, it's me, I promise!".
HOWHTTPS.WORKSMIDCERTROOTCERT
A trusted certificate says: "Trust me, an authority verified me".

Talking about trust. Thank you for trusting us through this story.

Unfortunately, it is coming to an end.

We hope you enjoyed this comic!

See you soon!

Hey, you did it!

You finished the comic! Thanks from the bottom of of our cat paws for spending some of your day reading about HTTPS.

We propose three activities to distract you from the fact that there is not another episode to read.

1. Take the quiz

To make it up to you, you can test your brand hot knowledge of HTTPS in a quiz. Yes, that's right. We even send you a certificate of completion if you score high enough.

Take the HTTPS quiz

2. Vent on social networks

The human thing to do. If you want to put more pressure on us to make more comics, here are a few examples to get us to the edge of our seats.

I want my new comic right meow 😸 @dnsimple! #certificat https://howhttps.works

Tweet this

Don't cat corners! βœ‚ 🐈 but make more comics @dnsimple #certificat https://howhttps.works

Tweet that

I have a good feline about this upcoming comic @dnsimple 😻 #certificat https://howhttps.works

Tweet this other thing

Bad crab. Bad @dnsimple. πŸ¦€ Make more comics! #crab https://howhttps.works

Last chance tweet button

3. Visit DNSimple

If you enjoyed the comic, and need an SSL certificate to secure your site, or a rock solid and easy-to-use DNS (not our words), or a brand new fancy domain, have a look at us.

Visit dnsimple

P.S. If you want to suggest a new episode (please no, because we'll have to update this page) or give us feedback about the existing ones, we are all cat hears.