The Anatomy of an SSL/TLS Certificate

Every SSL/TLS certificate contains specific information that enables secure communication and identity verification. The subject field identifies the entity to which the certificate is issued, including the common name (typically the domain name) and potentially organization details. The issuer field identifies the Certificate Authority that validated the information and issued the certificate. The validity period defines when the certificate becomes active and when it expires, typically ranging from 90 days to two years in modern practice.

The public key forms the cryptographic heart of the certificate, enabling secure key exchange during the TLS handshake. This key, mathematically related to a private key held only by the server, allows browsers to encrypt information that only the server can decrypt. Modern certificates use either RSA keys (typically 2048 or 4096 bits) or Elliptic Curve keys (usually 256 or 384 bits), with the latter offering equivalent security at smaller key sizes.

The signature algorithm and signature ensure the certificate's authenticity and integrity. The Certificate Authority uses its private key to sign the certificate, creating a cryptographic signature that browsers can verify using the CA's public key. This signature prevents tampering – any modification to the certificate contents would invalidate the signature, alerting browsers to potential security issues. Modern certificates use SHA-256 or stronger hash algorithms for signing.

Extensions add flexibility and functionality to certificates beyond basic identification and encryption. The Subject Alternative Name (SAN) extension allows a single certificate to secure multiple domains or subdomains. Key usage extensions specify whether the certificate can be used for digital signatures, key encryption, or both. Certificate Transparency extensions provide proof of public logging, enhancing accountability and detection of misissued certificates.