How it works
An SSL certificate is a small data file which establishes a site’s cryptographic identity. More formally, it’s called an X.509 certificate. It uses the Public Key Infrastructure (PKI) to set up secure communication with a browser. This approach uses two digital keys which are paired together. The private key is stored only on the website’s host. The public key is included in the certificate, which is available to anyone to view.
To get a certificate, a website’s owner has to generate a private key and a certificate signing request (CSR). From here there are two options.
The cheap option is to self-sign the certificate. This costs nothing and it allows encryption, but it provides no authentication. Someone coming in with a browser has no assurance that someone else hasn’t taken over your domain or intercepted and changed the data packets. Anyone else can create a self-signed certificate and claim it’s from your domain. It’s of little value outside of personal and test sites.
The useful option is to get a signed certificate. This requires submitting the CSR to a certificate authority (CA), which will generate a digitally signed certificate. It says that the CA has confirmed that the certificate actually belongs to your domain. A signed certificate provides authentication as well as encryption.
But wait. How do you know that the CA is who it claims to be? The answer is that the CA can have its own certificate signed. All certificates, to be generally accepted, have to follow a chain of certificates back to a trusted (root) CA. A trusted CA’s certificate is widely available, and browsers ship with a set of root certificates from them.