Each HTTPS server uses one or more certificates to verify their identity. This certificate must either be trusted by the client itself or trusted by a third party that the client trusts. In common usages, such as web browsers, it's not really possible to list all trusted certificates. For this reason, it's most common to validate certificates by verifying that a trusted third party trusts them. This trust is proven using digital signatures.
For example, a popular digital certificate authority is DigiCert Inc. Suppose that you trust DigiCert Inc. and have stored a certificate from them locally; you then connect to a website, example.com. You may not trust example.com, because you haven't seen their certificate before. However, example.com shows you that their certificate has been digitally signed by the DigiCert Inc. certificate you do trust. Therefore, you trust example.com website's certificate too.
In practice, certificate chains can be several layers deep. As long as you can verify digital signatures back to a certificate you trust, you are able to validate the whole chain.
This method is the common one used by HTTPS to authenticate servers. It does have some issues; namely, you must entirely trust the certificate authority. This is because certificate authorities could theoretically issue a certificate to an impostor, in which case you would be forced to trust the impostor. Certificate authorities are careful to avoid this, as it would ruin their reputation.
The most popular certificate authorities at the time of this writing are the following:
- IdenTrust
- Comodo
- DigiCert
- GoDaddy
- GlobalSign
The five preceding certificate authorities are responsible for over 90% of the HTTPS certificates found on the web.
It is also possible to self-sign a certificate. In this case, no certificate authority is used. In these cases, a client needs to somehow reliably obtain and verify a copy of your certificate before it can be trusted.
Certificates are usually matched to domain names, but it's also possible for them to identify other information, such as company names, address, and so on.
In the next chapter, Chapter 10, Implementing a Secure Web Server, certificates are covered in more detail.
It's common today for one server to host many different domains, and each domain requires its own certificate. Let's now consider how these servers know which certificate to send.