To establish an HTTPS connection to examplecat.com, the client needs proof that the server is examplecat.com.

Browser, represented by the Firefox logo: hey I want examplecat.com

Server, represented by a box with a smiley face: here’s proof that I’m examplecat.com.

(the proof is called a certificate.)

A TLS certificate has:

• a set of domains it’s valid for (eg examplecat.com)
• a start and end date (example: July 1 2019 to Oct 1 2019)
• a secret private key that only the server has (this is the only secret part, the rest is public)
• a public key to use when encrypting
• a cryptographic signature from someone trusted

A box that reads “wizardzines.com, Jul 1 - Oct 1 2019, with a logo that says Let’s Encrypt Approved”

The trusted entity that signs the certificate is called a Certificate Authority (CA) and they’re responsible for only signing certificates for a domain for that domain’s owner.

smiling stick figure with short spiky hair: will you sign this certificate for examplecat.com?

let’s encrypt, represented by a box with a smiley face: lol no I checked examplecat.com/.well-known/acme-challenge and you don’t own that domain.

When your browser connects to examplecat.com, it validates the certificates using a list of trusted CAs installed on your computer. These CAS are called “root certificate authorities”.

browser, thinking:

1. the examplecat.com server is signed by Let’s Encrypt
2. Let’s Encrypt’s cert is signed by IdenTrust
3. IdenTrust is on my trusted list.
4. This is okay!