Security is controlled by digital certificates that act as electronic ID cards. The purpose of a certificate is to assure a program or a user that it is safe to allow the proposed connection and (if encryption is involved) to provide the necessary encryption/decryption keys. They are usually issued by Certificate Authorities (CAs), which are organizations that are trusted by the industry as a whole and who are in the business of issuing of Internet certificates. A CA's certificate, which is also known as a root certificate, includes the CA's signature and a validity period, among other things.

Encryption and authentication are performed by means of a pair of keys, one public and one private. The public key is embedded in a certificate, known as a site or server certificate. The certificate contains several items of information, including the name of the Certificate Authority (CA) that issued the certificate, the name and public key of the server or client, the CA's signature, and the date and serial number of the certificate. The private key is created when you create a self-signed certificate or a CA certificate request and is used to decrypt messages from clients.