SSL/TLS certificates, understanding everything

A digital certificate

A digital certificate is like an identity card for a website. It allows your browser or a machine (such as a gateway) to check that the site is who it claims to be, and that the connection is secure (encrypted).

• These certificates are issued by a trusted authority (e.g. Let’s Encrypt), a bit like a town hall issuing an identity card.
• They have an expiry date: they need to be renewed regularly, otherwise browsers or devices will refuse to connect (they think the identity card has expired).
• There are also root certificates: these are the “motherboards” stored in the devices. If one of these root certificates expires or is no longer recognised, all the certificates that depend on it may be rejected.

Our gateways (GTW) include a list of root certificates.

If one of these root certificates expires, they may no longer trust valid Let’s Encrypt certificates.

A chain of trust

A certificate is like a chain of trust. At the bottom, you have the certificate for the website or gateway. At the top is an intermediate certificate, which guarantees that the site’s certificate is valid. At the very top, there is a root certificate (the “master”), which is directly recognised by your computer or gateway as trustworthy. This is called the certificate chain: Site → Intermediate → Root.