KomuraSoft LLC
Chapter 4

Certificates and PKI — verifying who you talk to

From the man-in-the-middle attack, grasp the structure certificate = public key + name + CA signature, and the verification walk up the chain to the root store.

Not "with someone" — with the owner of that domain

Recall the hole at the end of Chapter 3. DH agrees on a secret with "whoever exchanged public values with you" — it cannot tell you who that is. An attacker spliced into the path can agree on secret s₁ with you and secret s₂ with the real server, then decrypt everything you send with s₁, read it, and forward it re-encrypted with s₂. To you and to the server, the traffic looks perfectly normal. This is the man-in-the-middle (MITM) attack.

What is missing is authenticity — confirmation that "the public value I am about to agree keys with truly belongs to the owner of this domain." The answer is the certificate, and the PKI (public key infrastructure) behind it.

Certificate = public key + name + CA signature

The core of a server certificate (an X.509 certificate) is just three items:

A public key
The shareable half of the server's key pair
Names (SAN: Subject Alternative Name)
Which domains this public key belongs to — e.g. www.example.com; wildcards like *.example.com are possible
The CA's digital signature
A third party's signature saying "I, this certificate authority, verified this name–key binding." The validity period (notBefore / notAfter) is included under the signature

Before signing, the CA verifies that the applicant actually controls the domain. In the most common form, domain validation (DV), the CA has the applicant place a designated token on that domain's web server or DNS — an operation only the domain's controller can perform. The same idea recurs throughout this course: prove identity by doing something only the genuine party can do.

Diagram of the certificate chain: signatures traced from the server certificate through the intermediate CA to the root CA, settled against the root store

Verification walks the signatures upward from the leaf and settles at "is this in my local root store?" — reducing peer verification to a match against a locally held roster.

Practice 4-1 — Which hole do certificates close?

Confirm the hole left open in Chapter 3's key agreement, and the structure of a certificate.

Q1. Why is Diffie–Hellman key agreement alone insufficient for a secure channel?

Q2. Which of these is not contained in a server certificate?

Q3. Verifying the chain server certificate (leaf) → intermediate CA certificate → root CA certificate: how many signature verifications does the browser perform? (The root certificate is confirmed by matching the root store, which does not count as a signature verification)

verifications

The chain of trust — walking upward

"Verifying the CA's signature needs the CA's public key. Who vouches for that?" — repeat the question and you see a starting point is required. PKI's answer:

  1. Verify the server certificate (leaf)'s signature with the intermediate CA's public key
  2. Verify the intermediate CA certificate's signature with the root CA's public key
  3. Match the root CA certificate against the root store shipped with the OS/browser — the trust anchor

The root CA's private key is kept in strict isolation; day-to-day signing is done by intermediates. If an intermediate is compromised, it can be revoked without replacing the root — the layering exists for operational safety.

The browser's verification, in summary, is three independent checks. If any one fails, you get an error:

CheckQuestionTypical error when it fails
Signature chainDo the signatures reach the root store?"This certificate is not trusted" (self-signed, unknown CA, missing intermediate)
Validity periodIs now within notBefore–notAfter?"This certificate has expired"
Name matchIs the host being accessed listed in the SAN?"This certificate is not for this site"

On top of these, revocation checking (CRL / OCSP) exists to reject certificates invalidated before expiry, e.g. after a key leak. Chapter 6 practices triaging these errors on real output.

Certificates are public — so what proves identity?

One frequently missed point: the certificate itself is public information anyone can obtain. Your browser will display it; copying is trivial. So if an attacker copies a genuine certificate onto their server, can they impersonate the site?

No. The certificate binds a name to a public key, and the matching private key exists only on the genuine server. As Chapter 5 shows, the TLS handshake makes the server sign content determined on the spot. Without the private key, that signature cannot be produced. Only the pair — certificate (public) + proof of private-key possession (signature) — establishes "this is the domain's owner."

Operational takeaway: a leaked certificate is not an incident; a leaked private key means immediate revocation. Be able to explain which one needs guarding, from this structure.

Practice 4-2 — The chain through a practitioner's eyes

See how each verification step shows up in real errors and attacks.

Q4. How does the browser come to trust the root CA certificate at the start of the chain?

Q5. A certificate's SAN lists only www.example.com, and you connect as api.example.com. The chain's signatures and validity period are fine. What happens?

Q6. An attacker copies a genuine server certificate (a public document) onto their own server. Why does impersonation still fail?

What to take from this chapter

  • DH's hole is the man-in-the-middle attack; what's missing is authenticity — "is this the domain's owner?"
  • A certificate's core is public key + name + CA signature. No private key inside
  • Verification = signature chain, validity period, name match — three independent checks, anchored in the local root store
  • What finally stops impersonation is proof of private-key possession. Certificate public; private key guarded

The tools are complete. Next, watch key agreement (Chapter 3) and certificates (this chapter) assemble into the single round trip of the TLS 1.3 handshake.