Loading learning content...
When you connect to https://bank.example.com, how do you know you're actually communicating with your bank and not an attacker? The answer lies in certificate exchange—the process by which servers prove their identity using digital certificates.
Certificate exchange is the authentication cornerstone of TLS. Without it, encrypted communication would be meaningless; you'd have a perfectly secure channel to an adversary. The certificate system provides:
This page explores the mechanics of certificate exchange: what certificates contain, how they're transmitted, how clients validate them, and the trust model that makes global secure communication possible.
This page provides a comprehensive examination of TLS certificate exchange. You will understand X.509 certificate structure, certificate chain construction, client validation procedures, common validation failures, and the difference between DV, OV, and EV certificates.
Digital certificates in TLS use the X.509 standard, defined by ITU-T and documented in RFC 5280. An X.509 certificate is essentially a signed document binding a public key to an identity.
Certificate Fields:
Every X.509 v3 certificate contains these standard fields:
| Field | Description | Example Value |
|---|---|---|
| Version | X.509 version (typically v3) | 3 (0x2) |
| Serial Number | Unique identifier (per issuer) | 0x03:7F:F4:A8:9B:2D:... |
| Signature Algorithm | Algorithm used to sign the certificate | sha256WithRSAEncryption |
| Issuer | Certificate Authority that issued/signed | CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc... |
| Validity | Not Before / Not After dates | Jan 1 00:00:00 2024 GMT - Dec 31 23:59:59 2024 GMT |
| Subject | Entity the certificate identifies | CN=www.example.com, O=Example Inc, L=San Francisco... |
| Subject Public Key Info | Algorithm and public key material | RSA 2048-bit or EC P-256 |
| Extensions | v3 extensions for additional constraints | Key Usage, SAN, Basic Constraints... |
| Signature | CA's signature over the certificate | 256 bytes (RSA-2048) or 64 bytes (ECDSA-P256) |
Critical Extensions:
X.509 v3 introduced extensions that provide essential functionality:
Subject Alternative Name (SAN): Lists all domain names and IP addresses the certificate is valid for. Modern browsers require SAN; the Subject CN field is deprecated for domain validation.
X509v3 Subject Alternative Name:
DNS:www.example.com
DNS:example.com
DNS:api.example.com
IP Address:192.0.2.1
Key Usage: Defines allowed uses of the public key—prevents a signing key from being used for encryption or vice versa.
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Extended Key Usage: More specific usage constraints—server authentication, client authentication, code signing, etc.
X509v3 Extended Key Usage:
TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
Basic Constraints: Indicates if the certificate can sign other certificates (CA:TRUE) or is an end-entity.
X509v3 Basic Constraints: critical
CA:FALSE
Since 2017, browsers only check the Subject Alternative Name extension for domain validation. The Subject Common Name (CN) field is ignored. Certificates without a SAN containing the expected domain will fail validation. Always include SANs when generating certificates.
During the TLS handshake, certificate exchange occurs after the Hello messages. The timing and encryption status differ between TLS versions.
TLS 1.2 Certificate Message:
In TLS 1.2, the Certificate message is sent in clear text, immediately after ServerHello:
ServerHello
Certificate <-- Unencrypted, visible to observers
ServerKeyExchange (if DHE/ECDHE)
ServerHelloDone
The Certificate message contains:
TLS 1.3 Encrypted Certificate:
In TLS 1.3, the Certificate message is encrypted with handshake traffic keys:
ServerHello
EncryptedExtensions
{Certificate} <-- Encrypted, not visible to passive observers
{CertificateVerify}
{Finished}
This is a privacy improvement—attackers cannot see which certificate (and thus which website) the server presents.
Server Name Indication (SNI):
SNI, sent in the ClientHello, tells the server which hostname the client is connecting to. This allows:
TLS 1.3 and Encrypted Client Hello (ECH):
To address SNI privacy, Encrypted Client Hello (formerly ESNI) encrypts the SNI using a public key obtained via DNS. This prevents network observers from seeing which site you're connecting to.
Certificate Chain Ordering:
The Certificate message should contain certificates in order:
Some servers misconfigure this order, causing validation failures on strict clients.
Use openssl s_client -connect server:443 -showcerts to view the certificate chain sent by a server. SSL Labs and testssl.sh also diagnose chain issues. A common problem is missing intermediate certificates, causing failures on clients without cached intermediates.
Certificate validation is the process of verifying that a certificate can be trusted. It's a multi-step procedure that must complete successfully for the handshake to proceed.
The Chain of Trust:
Certificate trust is established through a chain:
Root CA (self-signed, trusted by client)
|
└── Intermediate CA (signed by Root)
|
└── End-Entity Certificate (signed by Intermediate)
The client holds a list of trusted root CAs. If it can construct a chain from the server's certificate to a trusted root, and all signatures verify, the certificate is trusted.
Validation Steps:
Signature Verification Details:
For each certificate pair (subject, issuer) in the chain:
tbsCertificate (to-be-signed portion) from the subject certificateisValid = Verify(
issuerPublicKey,
signature,
Hash(tbsCertificate)
)
If verification fails at any step, the chain is invalid and the handshake must abort.
Path Length Constraints:
The pathLenConstraint in Basic Constraints limits how many intermediate CAs can exist below a given CA:
Basic Constraints: critical
CA:TRUE, pathLenConstraint:0
This means the CA can only sign end-entity certificates, not other CAs. It's a defense against CA compromise—a stolen intermediate with pathLenConstraint:0 cannot create further intermediates.
Skipping any validation step creates vulnerabilities. Many TLS exploits target applications that disable certificate validation 'for testing' and forget to re-enable it. Libraries often provide options like 'verify=False'—these should NEVER be used in production.
Even with a valid certificate chain, the certificate must be for the correct host. Hostname verification ensures the certificate matches the server you intended to reach.
Where to Check:
DNS: entriesMatching Rules (RFC 6125):
| Certificate SAN | Requested Host | Match? | Reason |
|---|---|---|---|
| DNS:www.example.com | www.example.com | ✅ Yes | Exact match |
| DNS:www.example.com | WWW.EXAMPLE.COM | ✅ Yes | Case-insensitive |
| DNS:www.example.com | api.example.com | ❌ No | Different subdomain |
| DNS:*.example.com | www.example.com | ✅ Yes | Wildcard matches single label |
| DNS:*.example.com | api.example.com | ✅ Yes | Wildcard matches single label |
| DNS:*.example.com | example.com | ❌ No | Wildcard requires at least one label |
| DNS:*.example.com | sub.www.example.com | ❌ No | Wildcard only matches ONE label |
| DNS:..example.com | anything | ❌ No | Multi-level wildcards prohibited |
| IP Address:192.0.2.1 | 192.0.2.1 | ✅ Yes | IP match (IP literal in URL) |
Wildcard Certificate Rules:
Wildcard certificates (*.example.com) are common for covering multiple subdomains but have strict rules:
*.example.com matches www.example.com but not sub.www.example.com*.example.com. Invalid: www.*.com, *.*.example.comw*.example.com is not valid*.com is explicitly prohibited*.example.com does NOT match example.comPublic Suffix Considerations:
Certificate Authorities cannot issue wildcards for public suffixes (like *.com, *.co.uk, *.github.io). The Public Suffix List (maintained by Mozilla) defines these boundaries, preventing overly-broad wildcards.
Verification in Practice:
Most TLS libraries perform hostname verification automatically, but some require explicit configuration:
ssl: Set check_hostname=True (default since 3.4)SSLParameters.setEndpointIdentificationAlgorithm("HTTPS")tls.Config.ServerName must be sethttps moduleDisabling or misconfiguring hostname verification is the single most common TLS implementation vulnerability. An attacker with ANY valid certificate (even for malicious.attacker.com) could intercept connections if hostname verification is disabled. Always verify hostnames in production.
Certificates may need to be invalidated before their natural expiration—typically due to private key compromise, CA errors, or organization changes. Revocation checking attempts to verify certificates haven't been revoked.
Certificate Revocation List (CRL):
Traditional revocation mechanism. CAs periodically publish signed lists of revoked certificates.
How CRL works:
CRL Limitations:
OCSP (Online Certificate Status Protocol):
A more targeted approach—clients query the CA about a specific certificate's status.
How OCSP works:
nextUpdate periodOCSP Stapling:
To address OCSP privacy and availability concerns, TLS supports OCSP stapling:
Enabling OCSP stapling (Nginx):
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
Must-Staple:
A certificate extension requiring servers to staple OCSP responses. If the server fails to staple, clients must reject the connection. This prevents attackers from blocking OCSP checks.
Most browsers use 'soft-fail' for revocation: if CRL/OCSP is unreachable, they proceed—an attacker could simply block revocation traffic. Chrome took a different approach with CRLSets: a pruned list of high-priority revocations pushed via browser updates. For critical applications, OCSP stapling with must-staple is the most robust approach.
Certificates come in different validation levels, reflecting how thoroughly the CA verified the applicant's identity. All provide the same cryptographic security, but differ in the identity assurance they provide.
Domain Validated (DV) Certificates:
The most basic validation—CA only verifies you control the domain.
Validation methods:
http://domain/.well-known/acme-challenge/tokenCharacteristics:
Organization Validated (OV) Certificates:
CA verifies you control the domain AND verifies your organization exists.
Additional validation:
Characteristics:
| Aspect | Domain Validated (DV) | Organization Validated (OV) | Extended Validation (EV) |
|---|---|---|---|
| Domain control verification | ✅ | ✅ | ✅ |
| Organization existence check | ❌ | ✅ | ✅ |
| Physical address verification | ❌ | Varies | ✅ |
| Legal entity verification | ❌ | ❌ | ✅ |
| Operational existence check | ❌ | ❌ | ✅ |
| Issuance time | Minutes | 1-3 days | 1-2 weeks |
| Typical cost | Free-$100/yr | $50-200/yr | $200-1000/yr |
| Certificate Subject | CN only | CN + O, L, ST, C | Full organization details |
| Browser UI indicator | Padlock | Padlock | Padlock (green bar deprecated) |
Extended Validation (EV) Certificates:
The highest validation level—extensive vetting of the organization's legal identity and operational existence.
Additional validation:
The EV UI Debate:
Historically, browsers displayed EV certificates prominently (green bar, company name). Research showed users didn't understand or notice these indicators. As of 2019-2020, major browsers removed EV visual distinctions, displaying all certificates identically. This deprecation sparked debate about whether EV provides meaningful user security.
Modern Recommendations:
Let's Encrypt, launching in 2015, made DV certificates free and automated via the ACME protocol. HTTPS adoption jumped from ~40% to >90% of web traffic. For most use cases, automated DV certificates with 90-day lifetimes (forcing frequent renewal, limiting compromise impact) provide excellent security at zero cost.
In standard TLS, only the server presents a certificate. Mutual TLS (mTLS) adds client certificate authentication—both parties prove their identity.
When is mTLS used?
mTLS Message Flow (TLS 1.2):
CertificateRequest Message:
The server indicates it wants client authentication by sending CertificateRequest, which contains:
The client must present a certificate signed by one of the specified CAs.
CertificateVerify Message:
The client proves it possesses the private key for its certificate by signing a hash of all handshake messages seen so far:
CertificateVerify = Sign(ClientPrivateKey, Hash(HandshakeMessages))
The server verifies this signature using the client certificate's public key.
mTLS in TLS 1.3:
TLS 1.3 made client authentication changes:
The primary challenge with mTLS is certificate lifecycle management at scale. Each client needs a certificate provisioned, renewed, and revoked when compromised. Solutions like SPIFFE (Secure Production Identity Framework for Everyone) and service meshes (Istio, Linkerd) automate mTLS for microservices, making deployment practical.
Certificate exchange is the trust anchor of TLS. Without it, encryption would be pointless—you'd have a secure channel to an unknown (possibly malicious) party. The certificate system provides the identity assurance that makes secure communication meaningful.
What's Next:
With certificate exchange understood, we move to the cryptographic core of the handshake: key derivation. The next page explores how the handshake's inputs are transformed into session keys through key derivation functions, ensuring each connection has unique, secure encryption keys.
You now understand TLS certificate exchange — how servers prove their identity and how clients validate that proof. This knowledge enables you to configure certificates correctly, troubleshoot validation failures, and understand the trust model underlying secure internet communication.