How Does SSL Certificate Signing Work?

How Does SSL Certificate Signing Work?

How does SSL Certificate signing work? You might be asking this question when you learn about SSL Certificates and their role in keeping websites and Internet users safe online. It is not really a very complicated process. What makes it complicated is that the process of signing should be done accurately to ensure that the intermediate CA is properly signed to ensure that the identity of the website’s domain owner is verified.

The main purpose of SSL Certificates is to verify the identity of the domain owner of a website to ensure that the site that an Internet user is visiting is truly a legitimate site and not just a duplicate. It also ensures that the site is protected from various attacks that can intercept with the data transfer within the site, which could harm the website or the Internet user. So, how does SSL Certificate signing work? Here’s a simple explanation.

20% off Premium SSL Certificates from!

SSL Certificate Signing

To ensure that the site is protected with an SSL Certificate, which was issued by a Certificate Authority, the signing of the certificate is needed. Thus, browsers can ensure that the certificate protecting the site is legitimate and the identity of the site is truthful.

  • Intermediate CA Signing by the Root CA

So, how does SSL Certificate signing work? The root CA is the one that signs the intermediate CA, which you install on your site to make it secure. It is your SSL Certificate’s proof that your certificate is not self-signed and your identity has been verified by a trusted Certificate Authority.

Without the root CA signing your intermediate CA, your SSL Certificate won’t be trusted by browsers. Thus, your site will have a warning message stating that your SSL Certificate is not legitimate or is a self-signed certificate, which is not recommended for public websites and programs as it is not accepted by browsers.

  • Basic Constraints

But how does SSL Certificate signing work? Well, the root CA must have the Basic Constraints extensions to be able to sign intermediate CAs. The Basic Constraints extensions enable the CA flag to be set as TRUE, which enables the root CA to issue intermediate certificates to website owners. Without this extension on the root CA, the root CA’s authority in signing intermediate CAs is void; thus, intermediate CAs won’t be signed. This will result into browsers rejecting the chain of trust because the SSL Certificate installed in the site is not properly signed.

The browser used by your site’s visitors verifies the authenticity of your intermediate CA by determining the authority and legitimacy of your Certificate Authority’s root CA. Without it, your certificate won’t be able to do the ‘handshake’ or the verification of your private key with the public key that is needed to verify your proprietorship of your site. Also, your site won’t be able to decrypt the data that has been sent by the Internet user if the handshake is not possible due to the rejection of the browser.

To make it simple, your root CA requires basic Constraints extensions to have authority to sign an intermediate CA for the chain of trust to work.

Check out GoDaddy SSLs; they’re cheap and reliable!


Previous post:

Next post: