What Is a Digital Certificate

A digital certificate is an electronic identity document that certifies the owner of a public key. It is issued by a Certificate Authority (CA) and guarantees that "this public key indeed belongs to this domain (or organization)."

When you access an HTTPS site in your browser, the server presents its digital certificate. The browser verifies the certificate's validity and, if trusted, establishes an encrypted connection. This mechanism is the foundation of secure communication on the Internet.

Types of Certificates

DV (Domain Validation) Certificate: The simplest certificate that only verifies domain ownership. Automatically issued via DNS record or email verification. Available for free from Let's Encrypt. Suitable for personal sites, blogs, and small services. Encryption strength is the same as OV and EV.
OV (Organization Validation) Certificate: Also verifies the organization's legal existence. Requires submission of registration documents and takes several days to issue. Used by corporate sites and services that need to demonstrate organizational credibility.
EV (Extended Validation) Certificate: The most rigorous verification, including legal existence, physical address, and operational status. Previously displayed a green address bar in browsers, but major browsers have removed this visual distinction. The practical advantage over DV has diminished, and adoption is declining.

Chain of Trust

The trustworthiness of digital certificates is built on a "chain of trust."

Root Certificate: A self-signed certificate issued by the top-level CA (Root CA). Pre-installed in operating systems and browsers (trust store). DigiCert, GlobalSign, and ISRG (Let's Encrypt) are prominent examples.
Intermediate Certificate: Issued by the Root CA to an Intermediate CA. The Root CA's private key is kept offline for security, and day-to-day certificate issuance is delegated to Intermediate CAs.
End-Entity Certificate: The certificate issued to the actual website or service. Signed by the Intermediate CA. The browser traces the chain from the end-entity certificate through the intermediate to the root to verify trust.

If any link in this chain is broken (e.g., an intermediate certificate is revoked), all certificates below it become untrusted. This is why CA security is critically important.

Certificate Management and Operations

Key points for certificate operations.

Expiration Management: Certificates have an expiration date (currently up to 398 days). Expired certificates trigger browser warnings. Let's Encrypt certificates are valid for 90 days, making automated renewal (certbot) essential.
Automated Renewal: Manual renewal is error-prone and risks service outages. Use ACME clients (certbot, acme.sh) to automate the process.
Certificate Transparency (CT): A mechanism that publicly logs all issued certificates. Enables detection of mistakenly or maliciously issued certificates. Major browsers require CT log registration.
Revocation: Compromised certificates must be revoked immediately. CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) are used for revocation checking, with OCSP Stapling being the recommended approach for performance.

To learn more about this topic, see How HTTPS and TLS Work: The Encryption Behind Secure Communication.

Common Misconceptions

EV certificates provide stronger encryption than DV certificates: Encryption strength does not depend on the certificate type. DV, OV, and EV all use the same TLS encryption. The only difference is the level of verification of who operates the domain.
More expensive certificates are more secure: There is no difference in encryption security between Let's Encrypt's free DV certificates and paid DV certificates. The added value of paid certificates lies in organization validation, wildcard support, customer support, and warranty - not encryption strength.

Digital Certificate