What is a digital certificate and what is its purpose in TLS?

Digital certificates in TLS bind a public key to an identity, allowing the client to trust who it is talking to and to establish a secure channel. The certificate, issued by a trusted authority, carries the entity’s identity (like a domain), the public key, validity dates, and the CA’s signature. During the TLS handshake, the server presents this certificate and the client verifies the chain of trust, checks that the domain matches, and confirms the certificate isn’t expired or revoked. Once verified, the public key inside the certificate is used to perform a key exchange that yields a shared session key, enabling the encryption of all subsequent data in transit. This mechanism provides both server authentication and the means to securely derive encryption keys for the session. It’s not about encrypting emails by itself, it doesn’t verify hardware identity, and it isn’t separate from the keys used in securing the connection.