I've been trying to wrap my head around TLS certificates and how they work. It seems like these certificates are created and approved by trusted sources, but since they're just files saved on a computer or a web server, what stops someone from making their own certificate and claiming it's from a trusted source? If someone crafted a file that looked legitimate, wouldn't it potentially be accepted? I understand that certificates involve keys, but I'm still not clear on how that all fits in.
1 Answer
The main thing stopping anyone from pretending to be a trusted authority is the signing process. You need a private key to sign the certificate, and that’s something only the certificate authority has. When a browser encounters a certificate, it uses the public key from that authority to verify it. So, if you were to create your own certificate, it wouldn’t hold up in a browser unless you installed your own public key onto each system you want it to be recognized on.
Oh, that makes complete sense now! I didn’t realize how critical that private key aspect was. It’s like a secret handshake that only the trusted parties know!