Hands-On: Read a Real Certificate

These exercises take you inside the certificate system — the same one your phone checks automatically every time you open a banking app.

Exercise 1 — Read a Bank’s Certificate Chain

Before You Start: Every HTTPS site has a certificate chain going from the site’s certificate up to a Root CA. This exercise shows you how to read it.

  1. Open Chrome on your phone and go to https://hdfcbank.com
  2. Tap the padlock icon in the address bar
  3. Tap “Certificate” or “Certificate is valid”
  4. You are now looking at the site’s certificate. Note:
    • Subject / Common Name — what domain is this certificate for?
    • Issuer — which Intermediate CA issued this?
    • Validity — when does it expire?
  5. Look for a way to navigate up the chain. In Chrome, you may see tabs or a “Issued by” link. In Firefox on desktop, you can see the full chain in Certificate Viewer
  6. If your browser shows the chain, tap through to the Intermediate CA and then the Root CA

What You’re Seeing

You have just walked the same chain your browser walks every time you visit this site. The Root CA certificate at the top is embedded in your Android or iOS device, pre-installed by Google or Apple. Everything below it depends on that pre-established trust.

Discussion Prompt: The HDFC Bank certificate expires on a specific date. What happens to every customer who tries to use net banking if the bank’s IT team forgets to renew it?

Exercise 2 — See What a Certificate Error Looks Like

Before You Start: badssl.com is a test site maintained specifically to demonstrate different certificate error states. It is safe to visit — these errors are intentional.

  1. Open your browser and go to https://expired.badssl.com
  2. Read the error message carefully — what does your browser say?
  3. Look for the “Advanced” option and tap it — read the technical explanation your browser provides
  4. Do not proceed to the site for the next step
  5. Go back and visit https://self-signed.badssl.com
  6. Read this error message — how is it different from the expired certificate error?
  7. Now visit https://wrong.host.badssl.com — what does this error mean?

What You’re Seeing

Each error represents a different failure in the certificate verification chain:

URLError TypeWhat It Means
expired.badssl.comCertificate expiredThe validity period has passed
self-signed.badssl.comUntrusted issuerNo CA in your trust list signed this
wrong.host.badssl.comDomain mismatchCertificate was issued for a different domain

Real Errors = Real Danger

These errors on badssl.com are intentional demonstrations. But if you see any of these errors on a real banking site or a site where you enter a password — leave immediately. Do not click “Advanced → Proceed.” These errors mean you cannot verify the identity of the server you are connecting to.

Discussion Prompt: If you were an attacker trying to steal someone’s banking credentials, which of these three errors would you most likely trigger accidentally? Why?

Exercise 3 — Analyse a Certificate with SSL Labs

Before You Start: SSL Labs runs a detailed technical analysis of a site’s certificate and TLS configuration. This is the tool that security professionals use to audit sites.

  1. Go to ssllabs.com/ssltest on your phone’s browser
  2. In the hostname field, type sbi.co.in and tap Submit
  3. Wait for the analysis to complete (60–90 seconds)
  4. Look at the overall grade (A, A+, B, etc.)
  5. Scroll to the Certificate section and find:
    • Subject — the domain name
    • Fingerprint — a unique identifier for this specific certificate
    • Pin SHA256 — used for certificate pinning (an advanced security feature)
    • Issuer — the CA that signed it
    • Signature algorithm — how the signature was created
    • Key — what type and size is the public key?
  6. Scroll to Protocol Details and find whether the site supports TLS 1.3

What You’re Seeing

The certificate fingerprint is a hash — a unique digital fingerprint of the certificate. If the certificate changes (even by one character), the fingerprint changes completely. This is how certificate pinning works: an app stores the expected fingerprint and refuses to connect if it does not match, even if a technically valid certificate is presented. Banking apps use this to prevent attackers from using fake certificates.

Rohan Goes Deeper

Notice the Key field — it likely shows RSA 2048 bits or ECDSA 256 bits. ECDSA (Elliptic Curve Digital Signature Algorithm) keys are shorter but just as secure as much longer RSA keys, because they are based on a different mathematical problem. ECDSA 256-bit provides security equivalent to RSA 3072-bit, while being significantly faster to compute. This is why modern certificates are moving to ECDSA.

Discussion Prompt: SSL Labs shows the certificate’s expiry date. Should SBI be renewing this certificate automatically or manually? What are the risks of each approach?

Tying It Together

You now know how to read the certificate system that underpins all HTTPS security:

  • Reading the chain — from site certificate to Intermediate CA to Root CA
  • Understanding errors — expired, self-signed, wrong domain, revoked
  • Using SSL Labs — the professional tool for certificate analysis

Every time you do online banking, your phone does all of this automatically. Now you understand what it is doing and why. In Session 4, we see what happens when attackers try to circumvent this system — and how online banking is designed to resist those attacks at every layer.