Gary Gets His Shop Certified.
The council says Gary needs an official licence to serve coffee. The chain of trust runs from the Lord Mayor to the Deputy to Gary — and everyone checks the signatures.
At the top of the chain is the Lord Mayor — everyone in town trusts him. He signed his own certificate (he's the only one allowed to). That's the Root CA — self-signed, kept locked in a vault. He barely ever comes out.
The Mayor appointed a Deputy Mayor and signed her certificate. She handles the day-to-day licence approvals. That's the Intermediate CA — signed by the root, does the actual work.
Gary walks up to the Deputy and says: "I'd like a licence to serve coffee at 10 Cipher Lane, also known as Gary's Coffee Shop." He fills out a form with his details.
That form is the CSR — Certificate Signing Request. The Deputy checks Gary's identity, signs the licence, and hands it over. The licence lists SANs — Subject Alternative Names (all the names the certificate covers).
When a customer walks in, they can check Gary's licence: signed by the Deputy, who was signed by the Mayor, who everyone trusts.
That chain — Mayor → Deputy → Gary — is the certificate chain of trust. Each link is a digital signature. Break any link and the chain fails.
One day, Gary starts selling dodgy coffee — food poisoning everywhere. The Deputy crosses Gary off her list and posts it on the town noticeboard.
That list is the CRL — Certificate Revocation List. But the noticeboard only updates weekly. Some customers want to check right now, so they phone the Deputy directly: "Is Gary still legit?" That phone call is OCSP — Online Certificate Status Protocol.
Even better — Gary starts carrying a stamped letter from the Deputy dated today, proving he's still legit. He shows it to every customer himself. That's OCSP Stapling — the server proves its own validity without the client calling the CA. The best of the three.
A bloke on the corner starts serving coffee with a licence he wrote himself — no Mayor, no Deputy. Customers check: "who signed this?" He grins: "I did." Nobody trusts him.
That's a self-signed certificate. The signature is valid — it just proves nothing.
Different shops need different levels of licence. The street food van just needs to prove he owns the parking spot — five minutes, free. That's DV — Domain Validated. Quick, cheap, proves only domain control. The proper café proves the business is real — registered company, real address. That's OV — Organisation Validated. The bank branch needs a full background check — directors verified, physical visit from the inspector. That's EV — Extended Validation. Maximum trust.
Gary also gets a wildcard licence — valid for any shop Gary opens on Cipher Lane: GarysCoffee.com, orders.GarysCoffee.com, staff.GarysCoffee.com. One licence, all subdomains. Convenient, but risky — if someone steals this key, they control every subdomain.
Gary's mate keeps a copy of Gary's key in his own safe, just in case Gary loses it. That's key escrow — a backup key held by a trusted third party.
OCSP Stapling is the best revocation method — the server carries the proof itself so the client never has to call the CA. The noticeboard is weekly. The phone call is real-time. Stapling is always fresh. — Story 07 · PKI & Certificates