TLS Handshake

The client initiates the handshake by sending a "hello" message to the server. The message will include information like TLS version (ex. v1.2 or 1.3), cipher suites (algorithms used to encrypt the data), and other preferences to the client.

The Server will reply with a message selecting the cipher suite and providing a digital certificate used for authentication - this contains the Server’s domain, Certificate Authority, and the public key to be used for asymmetric encryption.

Certificate Authority is a trusted third-party entity responsible for validating the authenticity of digital certificates.

The client verifies the Server's certificate with the Certificate Authority that issued it. This confirms that the server is who it says it is, and that the client is interacting with the actual owner of the domain.

For security reasons, certificates expire and need to be renewed typically every 90 days.

The Client generates a secret key and encrypts it using the Server’s public key for the certificate. The encryption method used depends on the cipher suite agreed on.

The Server decrypts the secret key using its private key and verifies it matches the secret key generated by the client before. If valid, the Server sends “finished” encrypted with a session key to the Client.