How a certificate is signed ? (known also as issuing or producing)

Certificate Validity Period Not Before Not After Portecle


This article talks about how a certificate:

  • is send by a sender (known also as the owner)
  • and gets its signature from a trusted ca to validate the identity of the sender.

By signing a certificate, the CA tells I know this person or device: they are who they say they are

The processus is also known as issuing or producing a certificate.

A signed certificate is a certificate that have been signed

A certificate is insecure until it is signed, as only a signed certificate cannot be modified.

Only a certificate signed by a third Certificate Authority assure the authenticity of the owner.

The certificate can then be used:


To get a certificate to install it on your own infrastructure, the process is the following:

  • Create a Certificate signing Request for that private key with some information for purpose of future Certificate.
  • Send that Certificate Request to:
  • The certificate Authority will check the information provided in the certificate request (domain, mail, …) and may challenge it. For instance, to prove its ownership of the domain with:
    • setting a DNS TXT record
    • or hosting a file somewhere on a random path on the domain.
  • Once the challenge has been satisfied, the certificate Authority signs the request, issuing (producing) a public certificate CA signed.

You can sign it your self if you act as a Certificate Authority ( CA ). See: Cryptography Certificate - How to self-signed a Certificate (for a test or internal server)


You can automate the process with acme client

What to do when the certificat is signed ?

After getting a certificate from your Certificate Authority (CA), you can enable SSL communcation by installing your private key together with the received Certificate on:

Discover More
Certificate Validity Period Not Before Not After Portecle
CA Certificate

A CA certificate is a certificate used by a certificate authority to sign certificate. In the chain, it's the Root certificate or the intermediate certificates. Most organizations create an intermediate...
Certbot (letsencrypt | letsencrypt-auto)

Certbot is an acme client (Let’s Encrypt CA) (or any other CA) to issue SSL certificates. Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority...
Certificate Validity Period Not Before Not After Portecle
Certificat and chain verification

A certificate check is equivalent to an authentication. The signature of the certificate is verified with the public key to check if it was signed (issued) by a trusted party (usually a trusted...
Challenge of ownership

challenge are actions that permits to verify the ownership of a private key. They are used during the CA certificate signing verification To get a domain validated certificate, you need to prove the...
Csr Ldap Dn Properties
Cryptography - Certificate Signing Request

When requesting a signed certificate, an additional file must be created. This file is called Certificate Signing Request, generated from the Private Key. See the procedure at signed certificate procedure...
Certificate Validity Period Not Before Not After Portecle
Cryptography - X.509

x.509 is the specification / version of a certificate It's defined in the 5280rfc5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile When you see...
Certificate Validity Period Not Before Not After Portecle
Cryptography Certificate - How to self-signed a Certificate (for a test or internal server)

When a certificate is used to sign itself, it is called a self signed certificate. All root CA certificates of the certificate chain are self signed. This article shows you how to create a self-signed...
Certification Chain Path Chrome Dev
Cyrptography - Certificate chain

A certificate can have been issued (signed) by another CA creating a chain (or path). See certificate chain There are several types of certificate: root certificate. The root of the tree. (All root...
Domain Validate Certificate
Domain Validated Certificates (DV)

Domain Validated certificates are server signed certificates where the ownership of the domain was checked. There is no identifying organizational information for these certificates and thus should never...
400 Default Page No Required Ssl Certificate
How to configure certification based client authentication with Nginx ?

This article shows you how to configure a client authentication via the ownership of a certificat on a Nginx web server. The server should be already configured for HTTPS as client certificate (client...

Share this page:
Follow us:
Task Runner