**Certificates** are certain digital proofs issued by Authorities like – CA (Certificate Authority) to companies that host websites on the internet. They provide a proof to your browser that yes this site is what it claims to be (the browser crosscheck with that issuing authority). For ex: Yes this is a legit reddit site.

Browsers have a way to verify that the proof provided is correct and valid in terms of the longevity of the certificate (dates). It’s dangerous to open a site without a valid certificate because of **Phishing** scams – where people make a duplicate site of the original, in order for you to punch in your passwords and other important information. So the Browser will warn you if it sees an invalid or expired certificate.

Certificates are basically ID’s for websites. They are issued by a certificate authority that is trusted by other organizations, like the DMV with your driver’s license.

Your browser knows what companies it can trust to issue certificates, and can follow a path back to validate that a certificate is legit or not.

The issue with opening page with invalid certs is that if the cert is invalid, you have no way to know whether or not the site you are trying to visit is actually a legit site or not.

When you visit www.reddit.com, how do you know the webpage you are loading came from the Reddit Company and not Vlad’s House of Stolen Personal Info?
Vlad could have intercepted the reddit webpage, made a web page that look exactly like reddit, except it sends him your password, login and whatever else you would give reddit to run.

The answer is that reddit went to a **Certificate Authority** and gave them a special number called a Public Key. If you have this public key, you can encrypt stuff so that only reddit can read it. Reddit can also make this thing called a signiture, which you can use the public key to confirm that reddit made it.

Certificate Authorities also have a public key. You probably had the public key for one or more major Certificate Authorities installed along with your browser.

So when you receive a message with reddit’s public key, since the Certificate Authority signed it, you know that it’s actually from the Certificate Authority, and then you can figure out if the page you got was actually from reddit.

Now when you load reddit, and you get the key and find out the signature doesn’t match, your browser raises hell and warns you about an invalid Certificate. It means that website you loaded could have been sent by Vlad and not reddit.
More likely though it’s just your coffee shop wifi substituting a wifi login page for reddit. The browser doesn’t care about what’s actually being shown, just that the signature doesn’t match.

There are three common reasons for a cert to be invalid:
– the site is using it wrong. For example, maybe there was a site “awesome_computers.example.com” with an appropriate certificate. And they were bought out by “underpowered_computers.example.com”, and the web site switched over so that when you visit awesome, you actually get underpowered. The “underpowered” cert doesn’t match the address you typed, so it will be flagged.
– the cert expired. Embarrassing, but it happens to a lot of companies, including big ones
– someone is redirecting your browser

There’s a ton of less common reasons, too, which is why nobody can give a “one size fits all” answer to the important question, “should I click through anyway”.

As others have said its basically having a “trusted” party vouch for a site.

Invalid certificates can be for a variety of reasons, but 95% of them will be because the site didn’t provide a certificate that is credible with a “trusted” party.

Generally this is a big indicator of illegal activity as its easy to get one. The cases where certificates may be invalid but not for criminal activity relate to technical issues on the side of the website host that require someone to clean-up before the site is valid again.

> What are these certificates

It’s identification – e.g. “this is reddit.com”.

> who issues them?

A Certificate Authority (CA) “signs” them, cryptographically vouching for the ID. Browsers have a list of CAs and a public key so they can check to see if that signing / vouching is legit.

You can run your own CA and sign your own certificates, but that’s not worth a lot until you get everyone to trust your CA.

> Why it’s dangerous to open page with invalid one?

Say some site says it’s reddit.com, but that vouching doesn’t check out. You might log in and someone takes over your account. Not fun, but not as bad as if it happens with your bank’s web site.

**Edit: Here is a great [presentation](https://www.youtube.com/watch?v=09fNjMur1Gs) on these concepts and some problems with them. It gets a bit technical, but Geoff Huston makes it fairly accessible. Almost everyone will come away being a bit more paranoid about this stuff.**