How Websites Get SSL Certificates
Walk through the certificate issuance process — from CSR to validation to deployment.
The Certificate Authority Hierarchy
The certificate trust system is hierarchical. Root CAs are self-signed and embedded in operating systems and browsers. Intermediate CAs are signed by root CAs and do the actual certificate issuance.
This two-tier structure keeps root CA private keys offline and air-gapped. If an intermediate CA is compromised, its certificates can be revoked without requiring changes to root CA trust anchors.
Domain Validation Process
To obtain a DV certificate, the applicant must prove control of the domain. There are three standard ACME challenges: DNS challenge (add a TXT record to the domain's DNS), HTTP challenge (place a specific file at a specific URL), and TLS-ALPN challenge (serve a specific certificate during TLS negotiation).
All three methods confirm that the applicant controls either the domain's DNS or the web server at that domain. This prevents someone from obtaining a certificate for a domain they do not control.
All lessons in this course
- The Padlock Icon: What It Really Means
- How Websites Get SSL Certificates
- TLS Certificate Warnings and What to Do
- HTTP Downgrade and Mixed Content Risks