It all boils down to secrets, identity and trust. We can use Digital Certificates to safely exchange secrets, establish identities, and confirm that those identities have been verified by a trusted source. All of this is made possible by making use of Asymmetrical Cryptography.
Cryptography and secret codes have a long history starting long before computers were invented. The problem of sending information you needed to keep secret via a means that others might or definitely will get access to it has been around for a long time. When messages were passed via courier that could be captured, or via radio waves that anyone can listen to, the need for ways of sending information that can only be decoded and read by the intended recipient has been solved by encoding or encrypting the information with a secret key that only the recipient should have.
Cryptography: The study and practice of techniques for secure communications.
https://en.wikipedia.org/wiki/Cryptography
Moving into the digital age of computers the problem is still the same. Anything that is stored on disk might come into the hands of someone who shouldn’t have it and anything sent over a network must be done so with the assumption that others are able to read the raw transmissions.
The basic solution to this problem is to use a cipher to encrypt the information using a secret code. If the cipher is complex enough and the secret key is of sufficient length, then it should prevent the decryption of the information with out the secret key. The use of a single secret key for encryption and decryption is called symmetrical cryptography. Symmetrical cryptography has a lot of advantages, but one of the downsides is the transmission of the secret key. If both parties are able to get a copy of the secret key via a different channel then the information is going to be transmitted by, then it is a much smaller problem. But if the party you want to send information to doesn’t have a shared secret with you already and the only channel you can use to communicate is publish, such as a computer network, then sharing a secret key becomes a very hard problem.
Cipher: An algorithm used for performing encryption and decryption.
https://en.wikipedia.org/wiki/Cipher
Asymmetrical cryptography is one of the solutions for this problem. Asymmetrical cryptography uses two keys instead of just one key. The matched pair of keys (called the private key and the public key) are used together, and what you encrypt with one key can only be decrypted with the other key. This functionality is very useful.
By encrypting something with the private key and then making both the encrypted data and the public key used for decrypting the data publicly available you have a way of verifying the source of the information. Since the encrypted data can only be decrypted with this specific public key, and this specific public key can only decrypt what was encrypted by its matching private key, you know that the information was encoded by the holder of the private key.
When the public key is published publicly, it allows for anyone to send a secure message over a public channel to the holder of the private key, by encrypting the message with the public key.
This two key system make secure communication possible. You make your public key publicly available and keep the private key private. Then when you need to communicate securely with a remote party, you have a way of setting up a shared secret. The remote party uses your public key to encrypt a secret and send that secret to you and since only you the holder of the private key can read what is sent, there is now a shared secret between the two parties that can be used as the basic for encryption and decryption of information.
Now that we have established what asymmetrical cryptography is, lets look at how it is used with computers. With computers it is all about file formats and protocols so that you know how to ask for something. This is where Digital Certificates come into play. When you hand out your public key, people need to know who it belongs to. So the public key is put into a digital certificate and that certificate contains all sorts of information about the holder of the private key that matches this public key.
That is where identity comes in. Anyone can generate a set keys and keys never expire. So we use the digital certificate to identify the owner of the private key that this public key is part of. That way when you have a public key, you can have some idea who is on the other end of the communication you are about to engage in. The digital certificate will have a number of identifiers included, customized to who is being identified with this certificate. Certificates used for a Web Site will typically have the organization, and the domain name(s) that this certificate is valid for. Certificates that identify users will have the specific username and possibly their real name, email address and title included.
Once again, with computers, anyone can create a digital certificate that has any identifiers they want included. So how do we trust that the information in a given certificate is accurate? Well that is where Certificate Authorities (CA) come in.
A number of companies have set themselves up as trustworthy organizations and will do the work to verify that all of the information to be included with the digital certificate is accurate and they will add their stamp of approval to the created certificate, so that when anyone views the certificate they can see the stamp of approval and verify that it comes from a trusted source. These organizations identify themselves with a Root Certificate Authority Certificate. That Root CA certificate is then used to sign some intermediate certificate authorities. Those intermediate CA then are used to sign the digital certificate that a Web Site will use.
So the process goes like this. You want a trusted SSL Certificate for your web site, so you create a certificate signing request file that contains your public key and information that you want the certificate to contain, such as who you are, where you are located and the domain name you want the SSL Certificate to be valid for. You choose a Certificate Authority from whom you want your SSL Certificate to be signed by and upload that Certificate Signing Request file (.csr) to them. The CA then verifies the information that you have included, and importantly, that you own or have authority over the Domain Name that the SSL Certificate is created for. Once all of the verifications have passed, the CA will create the public certificate and sign it with their Certificate Authority Certificate, proving that this SSL Certificate met their standards. Then you can use that SSL Certificate on your Web Site and when people browse your website their Web Browser will verify that your SSL Certificate is trusted by following the chain of trust for your Certificate all the way back to a Root CA Certificate that it trusts.