HTTPS, TSL, SSL, and X.509 Certificates


Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). HTTPS creates a secure channel over an insecure network, and is widely used on the Internet. HTTPS utilizes the TLS protocol to send data over a network.


Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols used to authenticate data transfers between servers, systems, applications and users. SSL is deprecated and obsolete. TLS is the cryptographic successor of SSL 3.0 but old habits die hard and the name still sticks around.

Security and Encryption

In order for two machines to transmit data securely, the data must be obfuscated so if it is intercepted it cannot be read. Encryption is a powerful method of data obfuscation and is currently the only reliable method for making secure internet communication (and therefore internet commerce) possible.

Encryption is the process of using a complex mathematical formula to encrypt, or convert data into code called ciphertext. Ciphertext is generated using a specific string or binary number called a key. Anyone with the key can unlock the cyphertext and read the original data.


Information about a user or device can be encrypted to produce two key files, or a public-private key-pair. These keys identify the user or device which created them. The keys can be used to sign digital documents and to identify a user or device to other devices on a network. Users and devices with keys (like servers, browsers, toasters, etc.) are often just called entities because they can literally be anything.

Technically a key is a long string of bits — a number, usually residing in a file somewhere. Each entity generates themselves a public and private key.

Public Key

The public key can be given to anyone. It is used by others to encode messages sent only to you.

Private Key

The private key, which you keep secret, is used to decode messages which have been encoded with your public key.

Generating Keys

There are a number of applications to help with generating a public-private key-pair:

  • OpenSSL
  • ssh-keygen
  • PuTTYgen

PKI – Public-Key Infrastructure

One can send data encrypted with a private key and the public key can be used to decrypt it, but there is no assurance that an entity is who they say they are. To solve this problem, the PKI (Public-Key Infrastructure) model was defined to authenticate public keys by entrusting entities called Certificate Authorities (CA) to verify key owners. One particularly common use for the PKI model is within HTTPS.

Digital Certificates

A digital certificate, public key certificate, identity certificate, certificate, or just cert is a digital document signed by a trusted Certificate Authority which identifies the entity by cryptographically binding their public/private key pair to the cert. That cert is then stored with the entity.


The X.509 or EMV standard defines the most commonly used format for public key certificates. The OpenSSL linux tool can be used to generate X.509 certificates.

Mutual Authentication

When two entities meet to communicate on a network they perform a “handshake” to exchange and verify certificates about each other, at the same time, in a process called mutual authentication or two-way authentication. On the web this certificate exchange occurs by means of the Transport Layer Security (TLS) protocol.

Each entity uses a list of trusted root certificates which link to other trusted certificates in a certificate chain to validate the CA and its signature on the other entities certificate. If all keys match, everyone trusts each other and communication can commence.

Mutual authentication is the default mode of authentication in some protocols like IKE and SSH, but optional in TLS.

By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer. TLS also offers client-to-server authentication using client-side X.509 authentication. As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it’s rarely used in end-user applications.

More Resources