Digital Certificate

I’m a bit confused on Digital Certificates. I understand the chain of trust and how you decrypt each certificate starting from the root etc. But what I’m confused about is that when you decrypt, you are left with a hash value. What do you use to verify this hash since hashing is a one way street? And are the public keys that you get from decrypting a certificate not hashed?

Also, why is it that if you have the private key for a digital signature, you are suddenly able to read all HTTPS traffic? I thought HTTPS encryption was between the browser and the server (initially encrypting the symmetric key using the server’s public key). Even if you had the entity’s private key that signed the server’s certificate, you wouldn’t have the server’s private key which you’d need to decrypt the HTTPS traffic right?

Thank you.


The Chain of Trust works in this way when your browser accesses any website, it checks for the website owner’s certificate that has fields like owner’s public key, Issuer’s CA, Issuer’s signature, etc. Now from this, the browser uses Issuer’s CA to get the issuer’s certificate. It verifies the issuer’s signature using the issuer’s signature that’s already there in the owner’s certificate. Now, this process goes on till the browser gets the Root CA and verifies it’s signature with the intermediate CAs. You can understand this more by looking at a simple diagram like this at The decryption starts from the owner’s certificate until the root certificate and not the other way around. The chain terminates at the Root CA. The public keys are public, so they aren’t hashed. The hash is for the whole certificate that is being verified.

Now coming to your second question, the SSL/TLS encryption between a client and a server is formed using the certificate of the server and some random strings encrypted together with the server’s private key. Now, the traffic going through this client to this server can be decrypted by the server. Imagine this server is not trusted; it can decrypt the traffic using its private key. I would suggest you read how TLS works. I find this site useful while revising my concepts.

Certificate Authorities and HTTPS (12:29)
“Once you break out of VPN”
I don’t understand what you mean by “break out of VPN”
Can you clarify?

The VPN encrypts your traffic only till it’s servers. When you connect to the VPN, your traffic gets encrypted from your origin and travels to the VPN server as shown in the video. Once the packet leaves the VPN server, it gets decrypted and only normal HTTPS encryption is used. So, the VPN doesn’t encrypt the traffic further. When the packet returns to the VPN server, it gets encrypted again and sent to you back. So, breaking out of VPN means, the traffic that leaves the VPN which is not encrypted by VPN and can be attacked.