Certificate structure: contains holder identity (CN=name), public key, validity (notBefore/notAfter), CA signature, and trust chain to root. Each element is crucial for validation.
What is a digital certificate
A digital certificate is a cryptographic document that verifies the identity of a person, device or server and authorizes actions. It contains the public key of the holder, identity verified by a Certificate Authority (CA), period of validity, and digital signature of the CA. Certificates are used for: establishing secure HTTPS connections (SSL/TLS), authenticating users via client certificate, digitally signing documents, and authenticating without password (WebAuthn). The PKI (Public Key Infrastructure) manages the lifecycle: generation, distribution, validation, revocation, and renewal of certificates.
Why it matters
Digital certificates are the foundation of trust on the internet: without them, anyone could impersonate a website (technical phishing). HTTPS protects confidentiality and authenticity using certificates; 95% of web traffic is HTTPS. For CISOs, certificates are critical: 1) Strong authentication without password using client certificates (smart cards, hardware keys); 2) Digital signature of critical documents for regulatory non-repudiation; 3) mTLS (mutual TLS) for microservices and APIs; 4) Infrastructure access without password (Kubernetes, microservices). Certificate management is complex operational task: tracking expiration, renewal before expiration, revocation of compromised certificates. Unexpected expiration causes outages: banks, financial services, and critical operators have suffered massive interruptions from expired certificates. NIS2 and DORA require certificate management in critical infrastructure.
Key points
Common types: SSL/TLS (web servers), client (person/device authentication), code (software signature), email (signature/encryption). Each type has usage restrictions.
Certificate validation: browser/client verifies CA signature, checks validity period, and validates certificate domain matches visited site (protects against phishing).
Revocation: compromised certificates must be revoked immediately. Mechanisms: CRL (Certificate Revocation List), OCSP (Online Certificate Status Protocol). Revocation checks protect against stolen certificates.
Example: Certificate expiration causes critical outage
A bank forgets to renew the SSL certificate of its trading platform 10 days before expiration. The certificate expires at midnight. Clients cannot access the platform: browsers reject the connection (expired certificate = unsafe). Outage lasts 4 hours, estimated loss of operations 500K EUR. Post-analysis: no expiration alerts (monitoring system was disabled), no automatic renewal process, and team change left no clear responsibility assignment. Solution: implement ACME (Automated Certificate Management Environment) with Let's Encrypt for automatic renewal 30 days before expiration, alerts on Slack/email at 60/30/7 days, and quarterly audit of all certificates in production.
Common mistakes
- Assuming a valid certificate will remain valid; if not renewed 30 days before expiration, outage occurs. Automating renewal is critical.
- Not validating trust chain of certificate; a fraudulent certificate that does not verify against trusted CA root must be rejected immediately.
- Using self-signed certificates in production; although technically functional, browsers/clients generate warnings that reduce user trust.
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between SSL and TLS certificates
SSL (Secure Socket Layer) is legacy protocol (versions 1.0-3.0, all deprecated). TLS (Transport Layer Security) is modern successor (TLS 1.2, 1.3 current). Both use similar certificates, but TLS is more secure with improved encryption. In practice, SSL and TLS certificates are used interchangeably; what matters is verifying the server uses TLS 1.2+, not old SSL.
Can I use the same certificate on multiple servers
Depends on type: wildcard certificate (*.example.com) protects all subdomains. Multi-domain certificate protects multiple specific domains. Standard certificate protects one domain. Operationally, sharing certificates between servers complicates revocation: if one server is compromised, certificate must be revoked on all. Best practice: unique certificate per server with automatic individual renewal.
How do you validate a client certificate for authentication
User installs certificate in browser/client (smart card, hardware key, or software store). When connecting to server, the certificate is sent. Server validates: 1) signature from trusted CA, 2) validity period, 3) revocation list (certificate is not revoked), 4) authenticity (certificate belongs to known user). If validation passes, access is granted without password.