0Pricing
Cryptology Academy · Lesson

How Websites Get SSL Certificates

Walk through the certificate issuance process — from CSR to validation to deployment.

The Certificate Authority Hierarchy

The certificate trust system is hierarchical. Root CAs are self-signed and embedded in operating systems and browsers. Intermediate CAs are signed by root CAs and do the actual certificate issuance.

This two-tier structure keeps root CA private keys offline and air-gapped. If an intermediate CA is compromised, its certificates can be revoked without requiring changes to root CA trust anchors.

Domain Validation Process

To obtain a DV certificate, the applicant must prove control of the domain. There are three standard ACME challenges: DNS challenge (add a TXT record to the domain's DNS), HTTP challenge (place a specific file at a specific URL), and TLS-ALPN challenge (serve a specific certificate during TLS negotiation).

All three methods confirm that the applicant controls either the domain's DNS or the web server at that domain. This prevents someone from obtaining a certificate for a domain they do not control.

All lessons in this course

  1. The Padlock Icon: What It Really Means
  2. How Websites Get SSL Certificates
  3. TLS Certificate Warnings and What to Do
  4. HTTP Downgrade and Mixed Content Risks
← Back to Cryptology Academy