Why do we trust a website certificate
When you go to a HTTPS website, you probably see that the website has a valid certificate. For example, here is Networklessons.com:
It shows up as "valid". Why do we trust this certificate?
Take a closer look at the certificate:
The certificate is signed by Amazon. Why do we trust Amazon? Take a look at the Certification Path:
We see multiple Intermediate CAs in between and on top is the Root CA (Starfield Class 2 Certification Authority). We can take a closer look at this certificate:
The certificate shows up as "OK":
Why do we trust "Starfield Class 2"? To answer that question, we open control panel on Windows and look for "Manage computer certificates":
Look for the Trusted Root Certification Authorities and scroll down until you find "Starfield Class 2 Certification Authority":
There it is. The reason we trust this certificate is because it's pre-installed on Microsoft Windows.
Microsoft has a "Microsoft Trusted Root Program" where they decide what root certificates become pre-installed.
The reason you trust the networklessons.com certificate is because:
- The networklessons.com certificate was signed by an intermediate CA from Amazon.
- The Amazon intermediate CA certificate was signed by the intermediate CA "Amazon Root CA 1".
- The Amazon Root CA 1 certificate was signed by the intermediate CA "Starfield Services Root Certificate Authority - G2".
- The Starfield Services Root Certificate Authority - G2 was signed by Root CA "Starfield Class 2 Certification Authority".
- We trust Root CA "Starfield Class 2 Certification Authority" because it is pre-installed on Microsoft Windows 10.