The handshake
- Client says: “Here are the cipher suites I support”
- Server replies with a certificate (public key)
- Client verifies the certificate chain
- They agree on session keys (usually via ECDHE)
- After that: traffic is encrypted + authenticated
What you get
- Confidentiality (encryption)
- Integrity (tamper detection)
- Authenticity (you’re talking to the right server)
Common gotchas
- Expired certs
- Wrong hostname (SAN mismatch)
- Missing intermediate certs