So, to start with, we need to encrypt some data. Why? Maybe you’re cheating on your wife. Maybe you’re buying her a surprise.
Whatever, you want to hide your communication from prying eyes.
So, we can agree method to do so.
Perhaps we’re going to talk in French. Or maybe we’ll use a simple, home made method. We’ll move each letter one place to the right on our keyboards (wrapping to the left, when we reach the end).
So, rmvtqyopm od vppl! Tophjt?

The above message was written using a standard U.K. iPhone keyboard. Decrypt it!
Simply put, encryption is taking some data, and transforming it in such a way that it can only be returned to to its original form by following a set of instructions.

In the real world, we use huge mathematical problems which are really easy to do one way, but really hard the other. Think “multiply x by y to get the answer”, where both x and y are *huge* prime numbers.

The issue there is, we need to negotiate our method of translation in the public space of the internet. Back in the day, one might just have left it in an envelope in a crack in the wall, but we can’t do that anymore. There’s no hidden walls on the internet that you can tuck an envelope into and be certain no one can find it.

Introduce, public key encryption.
We negotiate a mutually *shared secret*, using a combination of our *public* and *private keys*. Professor Mike Pound on the YT channel Computerphile has done an excellent video on public key exchanges, and I don’t want to butcher his explanation, so I’d suggest watching that, but the simple version is; using a mix of our public and private keys, we encrypt data.

On to PKI. This gets messy, so strap in.

So, to start with, we have a *certificate authority*, which we’ll call Root CA. Because he’s the Root of our Tree.
The Root CA is something, or someone, we’ve decided is trustworthy. How we philosophically trust that entity isn’t the issue here.
A root CA, commercial or otherwise, issues a *certificate*, which they have *signed*, using their *private key*. The certificate contains the Root CA’s *public key*. A signed certificate is a technical method of saying “I trust that this person is who they say they are”. For example, Google will trust YouTube, and so will sign a certificate, and issue it.

The next person (YouTube, in this case) will send this certificate out to anyone who asks for it, and when you look at it, you’ll see “YouTube, certified by Google”. Literally, go to YouTube and click the padlock, then view Certificate Path (or chain, depending on browser).

From that point, your browser will check its “people I trust” list (Trusted Certificate Authorities, they come pre bundled with the browser and/or operating system).
If the Chrome finds YouTube on its “people I trust” list, it will say “yep, ok” and begins using the encryption method that the certificate has instructed it to (the public key which it found on the certificate).

At this point, you’ve begun an encrypted channel of communication between server (YouTube) and client (you).
All because you implicitly trust Microsoft, who also implicitly trusts Google, who trusts YouTube.

So, You >>trusts>>Microsoft>>trusts>>YouTube.

What happens if Chrome can’t find it on the “people I trust” list? Well, it can look at the “people I don’t trust” list (Certificate Revocation List, CRL for short).
If any of the members of the chain are on the list, we don’t trust it, which means we get the “This connection is not trusted/secure” error.

Okay, so how does this apply in the real world?
Well, when you start a website, by default, *no one will trust you*. Which means *everyone* will get an error warning them of a not secure connection. Bad news. I won’t enter my credit card details into that.
You approach a Public CA and ask them to sign your certificate (a Certificate Signing Request, or CSR) – lets say you approach GlobalSign.
They ask you to prove you’re trustworthy, and then you receive your certificate, which you can then photocopy and staple to the back of your own, which you’ll send out.
So your customer>>trusts>>Microsoft>>trusts>>GlobalSign>>trusts>>www.opswebsite.com.
Your customers now have an encrypted channel to use when they’re ordering all the hentai you sell. Grand.