The Story That Explains Digital Signatures
The king does three things: he writes the letter, drips hot wax across the fold, and presses his unique signet ring into it. Anyone can read the letter, but only the king owns that ring. If the wax is broken or the imprint is wrong, the general throws the letter into the fire.
On the internet, we have the same problem — and almost exactly the same solution. The letter is your data. The ring is your private key. The wax imprint is a digital signature. And the passport that proves the ring belongs to the king is a digital certificate.
Every time you see a padlock next to a URL, three cryptographic tools are working together in a fraction of a second: digital signatures prove authenticity, certificates prove identity, and SSL/TLS wraps the entire connection in a private tunnel. This tutorial pulls all three apart and shows how they lock together.
The internet was originally designed for openness, not secrecy. Every packet you send is copied through dozens of routers you do not own. Digital signatures, certificates, and TLS are the retrofit that made online banking, e-commerce and private messaging possible — without them, the modern web could not exist.
The Three Problems Cryptography Must Solve
When Alice sends a message to Bob over the internet, three separate things can go wrong. Digital signatures and TLS solve each one with a different tool.
Encryption alone is useless if you are encrypting a conversation with an attacker. Signatures alone are useless if you cannot verify whose key you are checking. TLS layers all three so that when you type your password, it travels through an encrypted tunnel to a server whose identity has been mathematically proven.
Symmetric vs Asymmetric Encryption
Before signatures make sense, you need to understand the two families of encryption. TLS uses both — for different reasons at different moments in the handshake.
| Property | Value |
|---|---|
| Algorithms | AES-128, AES-256, ChaCha20 |
| Speed | Very Fast |
| Key Sharing | Hard problem |
| Use in TLS | Bulk data transfer |
| Property | Value |
|---|---|
| Algorithms | RSA, ECDSA, Ed25519 |
| Speed | ~1000× Slower |
| Key Sharing | Public key is public |
| Use in TLS | Handshake & signing only |
TLS uses asymmetric crypto for a few milliseconds during the handshake to agree on a shared symmetric key. After that, everything switches to fast symmetric AES. You get the security of public-key crypto with the speed of symmetric — the best of both worlds.
How a Digital Signature Actually Works
A digital signature is not encryption of the whole message. It is a tiny fingerprint that only the private-key holder could have produced, and anyone with the public key can verify. Here is the exact recipe.
A digital signature does not encrypt the message. The message travels in plaintext beside the signature. If you also need confidentiality, you must encrypt separately — which is exactly what TLS does when it wraps the whole conversation in AES on top of signed handshakes.
Digital Certificates — The Passport Problem
Digital certificates work the same way. A website says "I am google.com and here is my public key." A trusted Certificate Authority (CA) like DigiCert or Let's Encrypt has already verified that claim and signed the certificate. Your browser trusts the CA, so it trusts the certificate.
Without certificates, an attacker could send you their own public key and pretend to be your bank. You would encrypt your password with the attacker's key and send it directly to them. Certificates solve this by binding a public key to a verified identity.
Inside an X.509 Certificate
All internet certificates follow the X.509 standard. When your browser connects to a site, it receives one of these — usually a few kilobytes of structured data. Here is what is actually inside.
| Field | Example Value | Purpose |
|---|---|---|
Subject | CN=www.google.com | Whose identity is being certified |
Issuer | CN=GTS CA 1C3, O=Google Trust Services | Which CA signed it |
Public Key | 30 82 01 22 30 0D 06 09... (RSA 2048) | The site's public key |
Valid From / To | Not Before: Nov 4 2025 → Not After: Feb 3 2026 | Lifetime window (~90 days for LE) |
Serial Number | 0x3F:A2:1D:8C:... | Unique ID within the CA's records |
Signature Algorithm | sha256WithRSAEncryption | How the CA signed the cert |
SAN (Subject Alt Names) | *.google.com, google.com, *.gstatic.com | Other hostnames this cert covers |
Signature | 7A:CD:1F:...(256 bytes) | The CA's actual digital signature |
Reading a Certificate with OpenSSL
# Fetch the certificate that google.com currently presents
openssl s_client -connect google.com:443 -servername google.com < /dev/null | \
openssl x509 -noout -text
# Show only the important bits
openssl s_client -connect google.com:443 < /dev/null | \
openssl x509 -noout -subject -issuer -dates
The Chain of Trust
A browser does not know every certificate on earth. What it knows is a small list of Root Certificate Authorities — about 150 organisations whose public keys ship pre-installed with Windows, macOS, Firefox, Chrome, and Android. Everything else is trusted transitively.
If a root CA's private key ever leaks, every certificate it signed becomes untrustworthy overnight — potentially billions of them. That is why roots are stored on hardware security modules in vaults, and only touched at scheduled "key ceremonies" witnessed by auditors. Intermediates absorb the day-to-day risk.
SSL vs TLS — Naming and History
You will hear "SSL" and "TLS" used interchangeably, but they are not the same protocol. SSL is dead. TLS is what actually runs on the web today. The name "SSL" survives out of habit — like calling a smartphone a "phone".
| Version | Released | Status | Notes |
|---|---|---|---|
| SSL 1.0 | 1994 (internal) | Never released | Netscape found critical flaws before publishing |
| SSL 2.0 | 1995 | Deprecated 2011 | Weak MAC, no protection against downgrade |
| SSL 3.0 | 1996 | Killed by POODLE 2014 | Padding oracle attack broke it completely |
| TLS 1.0 | 1999 | Deprecated 2020 | Vulnerable to BEAST attack |
| TLS 1.1 | 2006 | Deprecated 2020 | Modest improvements, still weak |
| TLS 1.2 | 2008 | Widely used | Still the fallback in enterprise environments |
| TLS 1.3 | 2018 | Current standard | ~1 RTT handshake, no legacy ciphers |
Oct 2014 — Google announced the POODLE attack against SSL 3.0; The Guardian and Reuters both ran front-page tech stories. Within weeks, every major browser disabled SSL 3.0. Aug 2018 — TLS 1.3 was ratified by the IETF; Ars Technica and Wired covered it as "the biggest upgrade to web security in a decade".
The TLS 1.3 Handshake — Animated
Here is what actually happens in the ~50 milliseconds between typing a URL and seeing the padlock. TLS 1.3 completes the handshake in a single round trip, then encrypted data flows.
The whole handshake completes in 1 round-trip. Everything after step 3 is fully encrypted with symmetric AES-256-GCM.
The ephemeral keys are thrown away after the session. Even if an attacker records your traffic today and later steals the server's private key, they still cannot decrypt past sessions — because those sessions used one-time ECDHE keys that no longer exist. This property, called Perfect Forward Secrecy, is mandatory in TLS 1.3.
Hands-On — Inspecting a Live TLS Connection
1. See the full handshake
# Show cipher suite, cert chain, protocol version
openssl s_client -connect www.wikipedia.org:443 -servername www.wikipedia.org
# Force TLS 1.3 only
openssl s_client -connect www.wikipedia.org:443 -tls1_3
# Refuse anything below TLS 1.2 (test if a server is properly configured)
openssl s_client -connect example.com:443 -tls1_1 # should FAIL on any modern server
2. Generate your own certificate (self-signed, for local testing)
# Create a 2048-bit RSA private key
openssl genrsa -out mysite.key 2048
# Generate a Certificate Signing Request (CSR)
openssl req -new -key mysite.key -out mysite.csr \
-subj "/C=IN/ST=HP/L=Solan/O=DevOps/CN=mysite.local"
# Self-sign it (valid 365 days) — DEV ONLY, browsers will still warn
openssl x509 -req -days 365 -in mysite.csr \
-signkey mysite.key -out mysite.crt
# Inspect what you just made
openssl x509 -in mysite.crt -noout -text
3. Get a real, browser-trusted cert with certbot (Let's Encrypt)
# One command → free, auto-renewing, publicly trusted certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# Certbot then auto-installs a cron job that renews before day 90
sudo certbot renew --dry-run
4. Verify with curl
# Fetch a page and dump certificate details in one go
curl -vI https://www.wikipedia.org 2>&1 | grep -E "SSL|subject|issuer|expire"
# Reject connection if cert is bad (default behaviour anyway)
curl https://self-signed.badssl.com # fails with cert error
curl -k https://self-signed.badssl.com # -k bypasses (never do in prod)
-k in Production Scripts
curl -k and --insecure disable certificate validation
entirely. A script written like that will happily send credentials to any
attacker who can hijack DNS. If a legitimate server has a cert error, fix the
cert — do not silence the client.
Real-World Cases — When Certificates Broke the News
Certificate incidents make news because they break the padlock — the single symbol most users have been taught to trust. When Heartbleed hit, tech desks at newspapers had to explain crypto to millions of readers overnight. Each incident reshaped browser policy, CA governance, and how the industry does certificate transparency logging.
Common Attacks Against SSL/TLS
| Attack | How It Works | Defence |
|---|---|---|
| MITM (Man-in-the-Middle) | Attacker intercepts and re-signs traffic using a rogue CA | Certificate pinning + CT logs |
| SSL Stripping | Attacker downgrades HTTPS links to plain HTTP before user clicks | HSTS + browser preload list |
| POODLE | Forces downgrade to SSL 3.0, then exploits padding oracle | Disable SSL 3.0 (done since 2014) |
| BEAST | Predictable IVs in CBC-mode TLS 1.0 leak plaintext | TLS 1.2+ with GCM ciphers |
| Heartbleed | Memory over-read leaks server private key | Patch OpenSSL, rotate keys |
| Compromised CA | Rogue CA issues valid cert for a domain it doesn't own | Certificate Transparency (CT) logs |
| Downgrade Attack | Tamper with ClientHello to force old TLS version | TLS 1.3 signals full version list in handshake signature |
HSTS, Certificate Transparency, and Modern Defences
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.
Browser refuses plain HTTP to that domain for two years. Defeats SSL stripping.
example.com. CAA 0 issue "letsencrypt.org"
tells the world only Let's Encrypt may issue for this domain. Any other CA
that ignores CAA can be sanctioned by browsers.
Enabling HSTS in nginx
# /etc/nginx/sites-available/example.com
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Only allow TLS 1.2 and 1.3
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS: 2 years, cover subdomains, ready for preload list
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
}
SSL/TLS vs Predecessors — Why This Layer Exists
| Threat | Result |
|---|---|
| Eavesdropping | Passwords visible on every hop |
| Tampering | ISP can inject ads mid-page |
| Impersonation | Any WiFi hotspot can serve fake sites |
| Credential theft | Trivial with Wireshark |
| Threat | Result |
|---|---|
| Eavesdropping | AES-256 ciphertext — infeasible to break |
| Tampering | GCM tag rejects any bit-flip |
| Impersonation | Certificate check fails — big red warning |
| Credential theft | Wireshark shows only opaque bytes |
After Edward Snowden's 2013 NSA revelations (broken by The Guardian and The Washington Post), the industry accelerated TLS adoption dramatically. Google's "HTTPS Everywhere" ranking boost, Chrome's "Not Secure" warnings on plain HTTP, and the launch of Let's Encrypt all trace directly back to that moment.
Golden Rules
RSA-2048 or ECDSA P-256.
Prefer ECDSA / Ed25519 — faster handshakes, smaller certs,
same security level.
ECDHE-*
cipher suites.
max-age of at least one year.
Submit your domain to the HSTS preload list.
ssllabs.com/ssltest). Aim for grade A
or higher. Anything below B in 2026 is a security
incident waiting to happen.
curl -k, verify=False,
ServerCertificateValidationCallback). If it fails, fix the cert,
do not silence the check.
crt.sh). Set up alerts. If someone else's CA ever issues a cert
for your domain, you want to know within hours — not months.
Digital signatures prove who. Certificates prove whose key. TLS ties both together into an encrypted tunnel. Understand each layer independently, and every "SSL error" in production becomes a five-minute diagnosis instead of a two-day panic.