DigiCert works as a trusted Certificate Authority (CA) that issues digital certificates to websites and organizations, enabling secure communication and identity verification. Here's a breakdown of how it works in the context of HTTPS:
1. Certificate Authority (CA) and Trust:
- DigiCert acts as a trusted third party. Web browsers and operating systems come pre-installed with a list of trusted CAs, including DigiCert. This trust is critical for the entire process.
2. Certificate Request and Validation:
- A website owner (or organization) that wants an SSL/TLS certificate (for HTTPS) submits a Certificate Signing Request (CSR) to DigiCert.
- The CSR contains information about the website's domain name, organization details, and the public key that will be used for encryption.
- DigiCert rigorously validates the information in the CSR to ensure that the requesting entity legitimately controls the domain and is who they claim to be. This validation can involve domain ownership verification, organizational checks, and other methods.
3. Certificate Issuance:
- If the validation is successful, DigiCert issues a digital certificate. This certificate contains the website's domain name, the website's public key, information about DigiCert itself (as the issuer), and a digital signature from DigiCert. The digital signature is created using DigiCert's private key.
4. Certificate Installation:
- The website owner installs the issued certificate on their web server.
5. Secure Connection Establishment (HTTPS):
- When a user's browser attempts to connect to a website secured with HTTPS, the server sends its SSL/TLS certificate to the browser.
- The browser checks if it trusts the issuing CA (DigiCert in this case). Because DigiCert is a well-known and trusted CA, the browser already has DigiCert's root certificate in its trusted store.
- The browser verifies the certificate's digital signature using DigiCert's public key (which it obtained from the trusted root certificate).
- The browser verifies that the domain name in the certificate matches the domain name of the website being visited.
- If all checks pass, the browser trusts the certificate and establishes a secure, encrypted connection with the server using the public key provided in the certificate. The server decrypts the subsequent communication using its corresponding private key (which is never shared).
6. Secure Communication:
- After the secure connection is established, the browser and server negotiate a symmetric key. This symmetric key is used for encrypting all subsequent data transmitted between the browser and the server. Because symmetric encryption is much faster than asymmetric encryption, it's used for the bulk of the communication. As the short answer provided, this negotiation typically involves the browser generating a random symmetric key, encrypting it with the server's public key (obtained from the certificate), and sending the encrypted symmetric key to the server. The server then decrypts the symmetric key using its private key and sends acknowledgement encrypted with the symmetric key.
In summary, DigiCert acts as a trusted third party, validating website identities and issuing digital certificates. These certificates are then used to establish secure, encrypted HTTPS connections between users' browsers and web servers, ensuring the privacy and integrity of data transmitted over the internet.
