Computer Network 📂 Information Security · 2 of 2 35 min read

Digital Signatures, Certificates

Understand how digital signatures, X.509 certificates, and SSL/TLS 1.3 combine to secure every HTTPS connection. Covers hashing, asymmetric crypto, the chain of trust, the TLS 1.3 handshake with animated diagrams, OpenSSL & certbot commands, real-world incidents (Heartbleed, DigiNotar, Superfish), attacks like MITM/POODLE/SSL-stripping, and modern defences: HSTS, CT logs, and CAA.

Section 01

The Story That Explains Digital Signatures

The Wax Seal of a Medieval King
In the 14th century, a king in London wants to send an urgent order to his general in York. The messenger might be intercepted. The letter might be forged. How does the general know the order is really from the king — and that no one has changed a single word of it?

The king does three things: he writes the letter, drips hot wax across the fold, and presses his unique signet ring into it. Anyone can read the letter, but only the king owns that ring. If the wax is broken or the imprint is wrong, the general throws the letter into the fire.

On the internet, we have the same problem — and almost exactly the same solution. The letter is your data. The ring is your private key. The wax imprint is a digital signature. And the passport that proves the ring belongs to the king is a digital certificate.

Every time you see a padlock next to a URL, three cryptographic tools are working together in a fraction of a second: digital signatures prove authenticity, certificates prove identity, and SSL/TLS wraps the entire connection in a private tunnel. This tutorial pulls all three apart and shows how they lock together.

🔒
The Core Insight

The internet was originally designed for openness, not secrecy. Every packet you send is copied through dozens of routers you do not own. Digital signatures, certificates, and TLS are the retrofit that made online banking, e-commerce and private messaging possible — without them, the modern web could not exist.


Section 02

The Three Problems Cryptography Must Solve

When Alice sends a message to Bob over the internet, three separate things can go wrong. Digital signatures and TLS solve each one with a different tool.

👁
Confidentiality
Encryption
Nobody in the middle should be able to read the message. Solved by symmetric encryption (AES) once a shared key is established.
🔑
Integrity
Hashing + Signing
Nobody should be able to change the message without detection. Solved by cryptographic hashes (SHA-256) combined with digital signatures.
👤
Authenticity
Certificates
The receiver must know they are really talking to the claimed sender. Solved by X.509 certificates issued by trusted authorities.
💡
Why All Three Are Needed

Encryption alone is useless if you are encrypting a conversation with an attacker. Signatures alone are useless if you cannot verify whose key you are checking. TLS layers all three so that when you type your password, it travels through an encrypted tunnel to a server whose identity has been mathematically proven.


Section 03

Symmetric vs Asymmetric Encryption

Before signatures make sense, you need to understand the two families of encryption. TLS uses both — for different reasons at different moments in the handshake.

🔐 Symmetric (One Shared Key)
PropertyValue
AlgorithmsAES-128, AES-256, ChaCha20
SpeedVery Fast
Key SharingHard problem
Use in TLSBulk data transfer
🔑 Asymmetric (Key Pair)
PropertyValue
AlgorithmsRSA, ECDSA, Ed25519
Speed~1000× Slower
Key SharingPublic key is public
Use in TLSHandshake & signing only
🔄
The Hybrid Trick

TLS uses asymmetric crypto for a few milliseconds during the handshake to agree on a shared symmetric key. After that, everything switches to fast symmetric AES. You get the security of public-key crypto with the speed of symmetric — the best of both worlds.


Section 04

How a Digital Signature Actually Works

A digital signature is not encryption of the whole message. It is a tiny fingerprint that only the private-key holder could have produced, and anyone with the public key can verify. Here is the exact recipe.

✍️ Signing (done by the sender)
Step 1
Take the entire message and run it through SHA-256. Output: a fixed 256-bit hash.
Step 2
Encrypt only that hash using your private key (RSA or ECDSA).
Step 3
Attach the encrypted hash to the original message. That attachment is the signature.
Step 4
Send both the plaintext message and the signature. The message itself is not encrypted by signing.
✅ Verifying (done by the receiver)
Step 1
Hash the received message yourself with SHA-256. Call this hash_local.
Step 2
Decrypt the signature using the sender's public key. Call this hash_from_sig.
Step 3
If hash_local == hash_from_sig → signature is valid. Message untampered and confirmed from sender.
Step 4
If they differ by even one bit → discard the message. Something was changed in flight, or the sender is not who they claim.
⚙️ Animated Diagram — The Signing Pipeline
MESSAGE "Transfer $500" SHA-256 HASH (256 bits) PRIVATE KEY ENCRYPT HASH SIGNATURE Attach to msg DATA FLOW → Hash first, sign the hash, attach to message. Never encrypt the whole message with the private key — RSA cannot handle large inputs.
⚠️
Common Misconception

A digital signature does not encrypt the message. The message travels in plaintext beside the signature. If you also need confidentiality, you must encrypt separately — which is exactly what TLS does when it wraps the whole conversation in AES on top of signed handshakes.


Section 05

Digital Certificates — The Passport Problem

Whose Public Key Is This, Really?
A stranger walks up to you at the airport and hands you a passport that says "I am the President of France." How do you know? Because a trusted authority — the French government — issued that passport, embedded holograms, signed it, and other governments recognise the signature.

Digital certificates work the same way. A website says "I am google.com and here is my public key." A trusted Certificate Authority (CA) like DigiCert or Let's Encrypt has already verified that claim and signed the certificate. Your browser trusts the CA, so it trusts the certificate.

Without certificates, an attacker could send you their own public key and pretend to be your bank. You would encrypt your password with the attacker's key and send it directly to them. Certificates solve this by binding a public key to a verified identity.


Section 06

Inside an X.509 Certificate

All internet certificates follow the X.509 standard. When your browser connects to a site, it receives one of these — usually a few kilobytes of structured data. Here is what is actually inside.

FieldExample ValuePurpose
SubjectCN=www.google.comWhose identity is being certified
IssuerCN=GTS CA 1C3, O=Google Trust ServicesWhich CA signed it
Public Key30 82 01 22 30 0D 06 09... (RSA 2048)The site's public key
Valid From / ToNot Before: Nov 4 2025 → Not After: Feb 3 2026Lifetime window (~90 days for LE)
Serial Number0x3F:A2:1D:8C:...Unique ID within the CA's records
Signature Algorithmsha256WithRSAEncryptionHow the CA signed the cert
SAN (Subject Alt Names)*.google.com, google.com, *.gstatic.comOther hostnames this cert covers
Signature7A:CD:1F:...(256 bytes)The CA's actual digital signature

Reading a Certificate with OpenSSL

# Fetch the certificate that google.com currently presents
openssl s_client -connect google.com:443 -servername google.com < /dev/null | \
  openssl x509 -noout -text

# Show only the important bits
openssl s_client -connect google.com:443 < /dev/null | \
  openssl x509 -noout -subject -issuer -dates
OUTPUT (abbreviated)
subject= /CN=*.google.com issuer= /C=US/O=Google Trust Services/CN=WR2 notBefore=Nov 4 08:12:03 2025 GMT notAfter=Jan 27 08:12:02 2026 GMT X509v3 Subject Alternative Name: DNS:*.google.com, DNS:*.gstatic.com, DNS:google.com, DNS:*.youtube.com, DNS:youtube.com, ... (85 total)

Section 07

The Chain of Trust

A browser does not know every certificate on earth. What it knows is a small list of Root Certificate Authorities — about 150 organisations whose public keys ship pre-installed with Windows, macOS, Firefox, Chrome, and Android. Everything else is trusted transitively.

01
Root CA — Self-Signed, Offline
Example: ISRG Root X1 (Let's Encrypt). Kept in an air-gapped vault. Ships inside every browser and OS. Its private key signs only intermediate CAs — never end sites.
02
Intermediate CA — Signed by Root
Example: R11 or R10. Sits online in a secure datacentre. Signs millions of end-entity certificates. If compromised, only it is revoked — the root stays safe.
03
Leaf Certificate — Signed by Intermediate
Example: *.wikipedia.org. Actually presented by the web server. Valid for 90 days (Let's Encrypt) up to 397 days (commercial CAs). Renewed automatically.
04
Browser Verification
The browser walks up the chain: leaf → intermediate → root. If the top is a root it already trusts and every signature checks out, the padlock lights up. Any broken link = big red warning.
🔒
Why the Root Stays Offline

If a root CA's private key ever leaks, every certificate it signed becomes untrustworthy overnight — potentially billions of them. That is why roots are stored on hardware security modules in vaults, and only touched at scheduled "key ceremonies" witnessed by auditors. Intermediates absorb the day-to-day risk.


Section 08

SSL vs TLS — Naming and History

You will hear "SSL" and "TLS" used interchangeably, but they are not the same protocol. SSL is dead. TLS is what actually runs on the web today. The name "SSL" survives out of habit — like calling a smartphone a "phone".

VersionReleasedStatusNotes
SSL 1.01994 (internal)Never releasedNetscape found critical flaws before publishing
SSL 2.01995Deprecated 2011Weak MAC, no protection against downgrade
SSL 3.01996Killed by POODLE 2014Padding oracle attack broke it completely
TLS 1.01999Deprecated 2020Vulnerable to BEAST attack
TLS 1.12006Deprecated 2020Modest improvements, still weak
TLS 1.22008Widely usedStill the fallback in enterprise environments
TLS 1.32018Current standard~1 RTT handshake, no legacy ciphers
📚
Newspaper Timeline

Oct 2014 — Google announced the POODLE attack against SSL 3.0; The Guardian and Reuters both ran front-page tech stories. Within weeks, every major browser disabled SSL 3.0. Aug 2018 — TLS 1.3 was ratified by the IETF; Ars Technica and Wired covered it as "the biggest upgrade to web security in a decade".


Section 09

The TLS 1.3 Handshake — Animated

Here is what actually happens in the ~50 milliseconds between typing a URL and seeing the padlock. TLS 1.3 completes the handshake in a single round trip, then encrypted data flows.

🔐 TLS 1.3 Handshake — Client ↔ Server
CLIENT SERVER 1. ClientHello supported ciphers + random + key share (ECDHE) 2. ServerHello + Certificate + Signature server key share + X.509 chain + signed handshake 3. Both compute shared secret (ECDHE) → derive AES key 4. Client Finished (encrypted) 5. Encrypted application data (HTTP/2 over AES-GCM) 🔒

The whole handshake completes in 1 round-trip. Everything after step 3 is fully encrypted with symmetric AES-256-GCM.

📚 What Each Step Achieves
Hello 1
Client offers TLS version, cipher list, random nonce, and an ephemeral public key (X25519 or P-256). No secrets sent yet.
Hello 2
Server picks a cipher, sends its own ephemeral public key + X.509 certificate + a digital signature over the handshake so far. This proves the server owns the private key matching the cert.
Derive
Both sides run ECDHE (Elliptic Curve Diffie-Hellman) on the exchanged public keys. They independently compute the same secret. No attacker sees it — this is the magic of DH.
Finish
Client encrypts a "finished" message with the derived key as proof. Server verifies. From here on, all HTTP traffic rides inside AES-GCM.
Forward Secrecy — Why ECDHE Matters

The ephemeral keys are thrown away after the session. Even if an attacker records your traffic today and later steals the server's private key, they still cannot decrypt past sessions — because those sessions used one-time ECDHE keys that no longer exist. This property, called Perfect Forward Secrecy, is mandatory in TLS 1.3.


Section 10

Hands-On — Inspecting a Live TLS Connection

1. See the full handshake

# Show cipher suite, cert chain, protocol version
openssl s_client -connect www.wikipedia.org:443 -servername www.wikipedia.org

# Force TLS 1.3 only
openssl s_client -connect www.wikipedia.org:443 -tls1_3

# Refuse anything below TLS 1.2 (test if a server is properly configured)
openssl s_client -connect example.com:443 -tls1_1   # should FAIL on any modern server
OUTPUT — cipher and protocol negotiated
SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Server public key is 256 bit Verify return code: 0 (ok)

2. Generate your own certificate (self-signed, for local testing)

# Create a 2048-bit RSA private key
openssl genrsa -out mysite.key 2048

# Generate a Certificate Signing Request (CSR)
openssl req -new -key mysite.key -out mysite.csr \
  -subj "/C=IN/ST=HP/L=Solan/O=DevOps/CN=mysite.local"

# Self-sign it (valid 365 days) — DEV ONLY, browsers will still warn
openssl x509 -req -days 365 -in mysite.csr \
  -signkey mysite.key -out mysite.crt

# Inspect what you just made
openssl x509 -in mysite.crt -noout -text

3. Get a real, browser-trusted cert with certbot (Let's Encrypt)

# One command → free, auto-renewing, publicly trusted certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Certbot then auto-installs a cron job that renews before day 90
sudo certbot renew --dry-run

4. Verify with curl

# Fetch a page and dump certificate details in one go
curl -vI https://www.wikipedia.org 2>&1 | grep -E "SSL|subject|issuer|expire"

# Reject connection if cert is bad (default behaviour anyway)
curl https://self-signed.badssl.com  # fails with cert error
curl -k https://self-signed.badssl.com  # -k bypasses (never do in prod)
⚠️
Never Use -k in Production Scripts

curl -k and --insecure disable certificate validation entirely. A script written like that will happily send credentials to any attacker who can hijack DNS. If a legitimate server has a cert error, fix the cert — do not silence the client.


Section 11

Real-World Cases — When Certificates Broke the News

🚫
DigiNotar Collapse (2011)
A Dutch CA was breached and issued forged certificates for google.com, used to spy on ~300,000 Iranian Gmail users. Covered by Reuters, The New York Times, and BBC. Within weeks, every browser untrusted DigiNotar, and the company went bankrupt.
CA compromise — Sept 2011
💔
Heartbleed (2014)
A bug in OpenSSL's heartbeat extension let anyone read 64KB of server memory — including private keys. Two-thirds of the internet was affected. Front-page coverage in The Guardian, NYT, and The Washington Post. Almost every certificate on the web was reissued in the weeks after.
OpenSSL CVE-2014-0160
💾
Superfish / Lenovo (2015)
Lenovo shipped consumer laptops pre-installed with Superfish adware that installed its own root CA and re-signed every HTTPS site. The Wall Street Journal and Wired reported it. The FTC later fined Lenovo $3.5M. It became the textbook example of a man-in-the-middle root attack.
Root CA misuse — Feb 2015
🎉
Let's Encrypt Launch (2016)
Free, automated, browser-trusted certificates went live to the public. Covered by Ars Technica, NYT, and The Register. HTTPS adoption doubled in 18 months. By 2024, Let's Encrypt was issuing certificates for more than 400 million domains.
Democratised HTTPS
Symantec Distrust (2017-2018)
Google and Mozilla progressively distrusted Symantec-issued certificates after repeated misissuance. Covered extensively by Ars Technica and The Register. Symantec eventually sold its certificate business to DigiCert. It set the modern rule: even the largest CA is only as trusted as its worst audit.
CA distrust — Chrome 70+
🚀
TLS 1.3 Standardised (2018)
RFC 8446 published, cutting the handshake to 1 RTT and removing every known-weak cipher. Wired, Ars Technica, and The Register called it the biggest security upgrade since HTTPS itself. By 2024, more than 70% of new TLS connections use TLS 1.3.
RFC 8446 — Aug 2018
📰
Why These Stories Reached Front Pages

Certificate incidents make news because they break the padlock — the single symbol most users have been taught to trust. When Heartbleed hit, tech desks at newspapers had to explain crypto to millions of readers overnight. Each incident reshaped browser policy, CA governance, and how the industry does certificate transparency logging.


Section 12

Common Attacks Against SSL/TLS

AttackHow It WorksDefence
MITM (Man-in-the-Middle) Attacker intercepts and re-signs traffic using a rogue CA Certificate pinning + CT logs
SSL Stripping Attacker downgrades HTTPS links to plain HTTP before user clicks HSTS + browser preload list
POODLE Forces downgrade to SSL 3.0, then exploits padding oracle Disable SSL 3.0 (done since 2014)
BEAST Predictable IVs in CBC-mode TLS 1.0 leak plaintext TLS 1.2+ with GCM ciphers
Heartbleed Memory over-read leaks server private key Patch OpenSSL, rotate keys
Compromised CA Rogue CA issues valid cert for a domain it doesn't own Certificate Transparency (CT) logs
Downgrade Attack Tamper with ClientHello to force old TLS version TLS 1.3 signals full version list in handshake signature

Section 13

HSTS, Certificate Transparency, and Modern Defences

🔒
HSTS Header
HTTP Strict Transport Security
Server sends Strict-Transport-Security: max-age=63072000; includeSubDomains; preload. Browser refuses plain HTTP to that domain for two years. Defeats SSL stripping.
📋
CT Logs
Certificate Transparency
Every trusted CA must publish issued certificates to append-only public logs. Domain owners can watch for unauthorised certs. Chrome refuses certs missing CT signatures.
📌
CAA DNS Records
Certificate Authority Authorization
A DNS record like example.com. CAA 0 issue "letsencrypt.org" tells the world only Let's Encrypt may issue for this domain. Any other CA that ignores CAA can be sanctioned by browsers.

Enabling HSTS in nginx

# /etc/nginx/sites-available/example.com
server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Only allow TLS 1.2 and 1.3
    ssl_protocols   TLSv1.2 TLSv1.3;
    ssl_ciphers     ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS: 2 years, cover subdomains, ready for preload list
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
}

Section 14

SSL/TLS vs Predecessors — Why This Layer Exists

❌ Plain HTTP
ThreatResult
EavesdroppingPasswords visible on every hop
TamperingISP can inject ads mid-page
ImpersonationAny WiFi hotspot can serve fake sites
Credential theftTrivial with Wireshark
✅ HTTPS (HTTP over TLS 1.3)
ThreatResult
EavesdroppingAES-256 ciphertext — infeasible to break
TamperingGCM tag rejects any bit-flip
ImpersonationCertificate check fails — big red warning
Credential theftWireshark shows only opaque bytes
🔥
The Snowden Effect

After Edward Snowden's 2013 NSA revelations (broken by The Guardian and The Washington Post), the industry accelerated TLS adoption dramatically. Google's "HTTPS Everywhere" ranking boost, Chrome's "Not Secure" warnings on plain HTTP, and the launch of Let's Encrypt all trace directly back to that moment.


Section 15

Golden Rules

🔒 SSL/TLS and Certificates — Non-Negotiable Rules
1
Always use TLS 1.2 or TLS 1.3 only. Disable SSL 3.0, TLS 1.0, and TLS 1.1 at the server level. Any CVE from the last decade against SSL/TLS targeted those old versions.
2
Never generate keys smaller than RSA-2048 or ECDSA P-256. Prefer ECDSA / Ed25519 — faster handshakes, smaller certs, same security level.
3
Always enable Perfect Forward Secrecy — use ECDHE key exchange. TLS 1.3 mandates it. In TLS 1.2, explicitly configure ECDHE-* cipher suites.
4
Use Let's Encrypt with certbot auto-renew unless a business reason demands otherwise. Automated 90-day renewal is safer than paid annual certs that people forget to renew.
5
Publish a CAA DNS record naming your authorised CA. Publish an HSTS header with max-age of at least one year. Submit your domain to the HSTS preload list.
6
Test your configuration on SSL Labs (ssllabs.com/ssltest). Aim for grade A or higher. Anything below B in 2026 is a security incident waiting to happen.
7
Never disable certificate validation in client code (curl -k, verify=False, ServerCertificateValidationCallback). If it fails, fix the cert, do not silence the check.
8
Monitor Certificate Transparency logs for your domain (crt.sh). Set up alerts. If someone else's CA ever issues a cert for your domain, you want to know within hours — not months.
🏆
The Practitioner's Rule

Digital signatures prove who. Certificates prove whose key. TLS ties both together into an encrypted tunnel. Understand each layer independently, and every "SSL error" in production becomes a five-minute diagnosis instead of a two-day panic.

You have completed Information Security. View all sections →