← Back

Public Key Infrastructure

Certificate Chain of Trust

DigiTrust Root CA Root Certificate

Subject:

CN=DigiTrust Root CA, O=DigiTrust Inc, C=US

Issuer:

CN=DigiTrust Root CA (Self-Signed)

Validity:

2020-01-01 to 2040-12-31 (20 years)

Public Key:

RSA 4096-bit: MIICIjANBgkqhkiG9w0BAQEFAAOCA...

✅ Self-signed (Trusted by OS/Browser)

⬇️

DigiTrust TLS CA Intermediate CA

Subject:

CN=DigiTrust TLS CA, O=DigiTrust Inc, C=US

Issuer:

CN=DigiTrust Root CA

Validity:

2023-01-01 to 2028-12-31 (5 years)

Public Key:

RSA 2048-bit: MIIBIjANBgkqhkiG9w0BAQEFA...

🔏 Signed by DigiTrust Root CA

⬇️

example.com End-Entity Certificate

Subject:

CN=example.com, O=Example Corp, C=US

Issuer:

CN=DigiTrust TLS CA

Validity:

2024-01-01 to 2025-01-01 (1 year)

Subject Alternative Names:

example.com, www.example.com, api.example.com

Public Key:

ECDSA P-256: MFkwEwYHKoZIzj0CAQYIKoZI...

🔏 Signed by DigiTrust TLS CA

🌐

Browser receives
server cert

→

🔍

Check signature
against intermediate

→

📜

Check intermediate
against root

→

✅

Root in trusted
store?

✅ Certificate chain is valid and trusted

How PKI Works

Root CAs: Pre-installed in browsers/OS. Their public keys are implicitly trusted.

Intermediate CAs: Signed by root CAs. Issue end-entity certificates. Provide layer of protection (root stays offline).

End-Entity Certificates: Issued to websites/servers. Prove server identity to clients.

Verification: Browser walks up the chain, verifying each signature until reaching a trusted root.

This is how HTTPS ensures you're connected to the real website!