Every time you visit a website, your browser does more than load the page — it verifies the site’s identity using a digital certificate and decides whether to trust it. These certificates are the backbone of HTTPS, ensuring that your connection is private and secure. You might have noticed that while some websites load instantly without any issue, others display a warning saying that the connection isn’t secure and ask you to proceed with caution. Why does this happen? So, why do browsers often flag self-signed certificates? In this article, we’ll explore the basics of HTTPS certificates, how browsers validate them, and how trusted certificates and self-signed certificates works.
What is a digital certificate?
Think of a digital certificate like an ID card for a website, just like a person shows their ID to prove who they are before entering a secure building. When you visit a secure website (like https://example.com), your browser asks, “Who are you?” The website responds by presenting its digital certificate, which includes its identity and a digital signature from a trusted authority — like a government official confirming someone’s ID card. Your browser then check the certificate and if everything checks out, browser says, “Okay, I trust you,” and then both sides agree on a secret code (called encryption) to talk privately. This process establishes secure communication and ensures that no one else can tamper with the information you exchange.
Who Issues Digital Certificates?
Trusted organizations called Certificate Authorities (CAs) issue digital certificates. A CA is a third-party entity responsible for verifying the identity of a website or organization before issuing a certificate. Once verified, the CA digitally signs the certificate to confirm it’s authentic. DigiCert, GoDaddy, and GlobalSign are some of the most popular CAs in the market. Your browser and operating system come with a pre-installed list of trusted CAs, which is how they know which certificates to trust when you visit a site.
What a Certificate Contains?
A digital certificate contains several key parts, and each one serves a specific purpose.
- Domain name : (e.g., www.example.com)
- Issuer: The Certificate Authority (CA) that issued it
- Public Key: Used for encryption
- Validity Period:Start and end dates
- Signature: A digital signature from the CA
- Serial Number: Unique ID for the certificate
What happens when you visit a website?
Now, when you visit a website, as discussed, the browser asks the site to present its certificate. The site then sends its certificate to the browser, which includes the above information. Once the browser receives the certificate, it checks the following:
- Verification of the issuing authority
- Matching the domain name
- Checking the validity period
- Authenticating the digital signature
If all the above check passes, then browser creates a secret key, encrypt it using server’s public keys(that is available in the certificate) and send it to the server. From this point the browser and website encrypt all communication using a shared session key.
How Self-Signed Certificates Work
A self-signed certificate is like someone making their own ID card and saying, “Trust me, this proves who I am.” It includes all the usual details — the domain name, a public key for encryption, and a digital signature. But instead of a trusted authority signing it (like a government does for real IDs), the website signs it by itself.
When your browser visits a site with a self-signed certificate, it looks at the certificate and thinks: “No trusted authority issued this certificate — I can’t verify it.”. How do I know this site is real?” Since the browser doesn’t recognize the signature as coming from a trusted source, it shows a warning message like “Your connection is not private” or “This site is not secure,” and the browser will ask if you want to proceed at your own risk.
Self-signed certificates are still useful — especially for development, testing, or internal servers — where you control the environment and don’t need a third party to validate the certificate. However, public websites shouldn’t use them because they don’t provide a reliable way to confirm the site’s identity.