Skip to content

TLS certificate

Modern systems usually use an encryption protocol called TLS (Transport Layer Security) when communicating with other machines on the Internet. The predecessor to TLS was SSL (Secure Sockets Layer). When a web browser communicates with a web server, then usually the HTTP protocol is used. When the HTTP communication is encrypted using TLS, then this is known as HTTPS.

It is recommended to use TLS on your website. To use TLS you will need a TLS certificate. A TLS certificate certifies that the owner of a certain public key is trusted by one or more third-parties, known as certificate authorities, or CA for short. Your operating system and web browser by default trust certain third-parties and any certificates digitially signed by those third parties. Widely trusted CAs include Let's Encrypt, GlobalSign, IdenTrust, Comodo Cybersecurity, DigiCert and GoDaddy.

Public key encryption

The TLS protocol uses public key encryption. In public key encryption each party has a public and private key pair. The parties exchange their public keys freely when wanting to communicate with each other. Each party keeps their private key secret.

The public key and private key are mathematically related to each other. The public key can be used for encryption. The encrypted data can then only be decrypted using the matching private key.

Digital signatures

Public key encryption can also be used in reverse, the private key can be used for encryption and the public key for decryption. This is how digital signatures work. When you digitally sign something, you encrypt some data with your private key. Then anyone with your public key can verify that you must be the one who signed the data.

TLS Handshake

When a web browser connects to a HTTPS website, it will perform a TLS handshake with the web server hosting the website and verify the following:

  • That the web server can decrypt messages you send it that are encrypted with public key on the TLS certificate the server provided.
    • Whilst TLS certificates are public information you cannot use a TLS certificate to impersonate someone else unless you have the private key that matches the TLS certificate's public key.
  • That the certificate authority that signed the certificate is trusted by your operating system or web browser.
    • Your operating system and/or web browser have what is known as a certificate store which contains all the certificates of trusted parties. You can manually add or remove certificates from your operating system's or web browser's certificate store.
  • That the digital signature of the third-party that claims to have signed the certificate is valid
    • A digital signature is validated by using the third-party's public key to decrypt the digital signature. If this decrypted data does not match the expected value then the digital signature is invalid. You cannot impersonate someone else when digitally signing something since you would need the matching private key of the public key you are impersonating.

If the TLS certificate was not signed by a trusted third-party, then usually your web browser will warn you if you really want to connect to the web server:

TLS Warning

Using TLS certificates

Normally generating a certificate, getting it signed and placing it on your server can be a hassle, especially since the certificate usually needs to be renewed once a year or so. Thankfully Cloudflare can simplify this process.

To let Cloudflare automatically generate certificates for you, go to your "Account Home" and select your domain name:

TLS Certificate 1

Then open the "SSL/TLS" accordion and select "Overview":

TLS Certificate 2

Now click on "Configure" in the SSL/TLS encryption section:

TLS Certificate 3

Choose to use "Custom SSL/TLS", select "Full(Strict)" and click "Save":

TLS Certificate 4

Now click on "Edge Certificates" on the left sidebar and enable "Always Use HTTPS":

TLS Certificate 5