What Are TLS Certificates?
When you visit a website with "https://" in the URL, your browser and the server perform a cryptographic handshake using TLS (Transport Layer Security) certificates. This process does two things:
- Encrypts the connection — preventing eavesdropping on data in transit
- Authenticates the server — proving you are communicating with the legitimate owner of the domain, not an impostor
For digital evidence, the second function is what matters most.
How TLS Authentication Works
The Certificate Chain
TLS authentication relies on a hierarchical chain of trust:
- Root Certificate Authority (CA) — A trusted organization (like DigiCert, Let's Encrypt, or Sectigo) whose root certificates are pre-installed in operating systems and browsers
- Intermediate CA — Certificates issued by the root CA to delegate signing authority
- Server Certificate — The certificate issued to the specific domain (e.g.,
example.com), signed by the intermediate CA
When your browser connects to a website, it verifies this entire chain — from the server certificate up through intermediates to a trusted root. If any link in the chain is invalid, expired, or unrecognized, the browser displays a security warning.
Validation Levels
Certificate authorities issue certificates with different levels of identity verification:
- Domain Validation (DV) — Confirms the applicant controls the domain. Minimal identity verification. Most common type.
- Organization Validation (OV) — Verifies the organization's legal existence and domain ownership. Moderate assurance.
- Extended Validation (EV) — Rigorous verification of the organization's identity, legal status, and physical address. Highest assurance.
Why TLS Certificates Matter for Evidence
Proving Website Identity
A TLS certificate answers a fundamental evidential question: "Was this content actually served by the claimed website?"
When evidence includes the TLS certificate data from the capture session, it proves:
- The browser connected to a server that holds a valid certificate for the domain
- A trusted Certificate Authority verified ownership of that domain
- The connection was encrypted and authenticated — not intercepted or spoofed
Preventing Man-in-the-Middle Claims
Without TLS certificate evidence, opposing counsel can argue that the captured content came from a different source — a local file, a spoofed server, or a man-in-the-middle proxy. TLS certificate data refutes these arguments by proving the browser established a verified, encrypted connection to the authentic server.
Establishing Temporal Validity
TLS certificates have defined validity periods (typically 90 days to 1 year). The certificate captured during evidence collection includes:
- Issue date — When the certificate was granted
- Expiration date — When it will no longer be valid
- Certificate serial number — Unique identifier that can be verified against CA records
This temporal data corroborates the capture timestamp: if the certificate was valid at the claimed capture time, it supports the evidence timeline.
What TLS Certificate Data Looks Like
A captured TLS certificate contains structured data including:
Subject: CN=www.example.com
Issuer: CN=R3, O=Let's Encrypt, C=US
Valid From: 2026-01-01 00:00:00 UTC
Valid To: 2026-04-01 00:00:00 UTC
Serial Number: 04:A3:7B:C9:...
Signature Algorithm: SHA256withRSA
Public Key: RSA 2048-bit
Subject Alternative Names: example.com, www.example.com
This data can be independently verified against Certificate Transparency logs — public, append-only databases maintained by CAs that record every certificate issued.
Certificate Transparency Logs
Certificate Transparency (CT) is a system that requires CAs to publish every certificate they issue to public logs. These logs are independently auditable and provide:
- Proof of issuance — Anyone can verify that a certificate was legitimately issued by a recognized CA
- Historical records — CT logs retain certificate records even after certificates expire
- Fraud detection — Unauthorized or fraudulent certificates can be identified through CT monitoring
For evidence purposes, CT logs serve as an independent, third-party record that corroborates the TLS certificate captured during evidence collection.
How TrueSnap Captures TLS Data
During a forensic capture, TrueSnap extracts and preserves the complete TLS certificate chain:
- Server certificate — The certificate presented by the website
- Intermediate certificates — The chain linking the server certificate to a trusted root
- Certificate metadata — Validity periods, issuer information, signature algorithms
- Connection parameters — TLS protocol version and cipher suite used
This data is included in the evidence package alongside the screenshot, DOM snapshot, HAR file, and metadata — creating multiple independent layers of source verification.
Practical Implications
For Fraud Cases
When documenting fraudulent websites, the TLS certificate data can reveal:
- Whether the site used a legitimate certificate or a self-signed one
- The certificate's validation level (DV certificates require less verification than OV or EV)
- When the certificate was issued, which may indicate how recently the fraudulent site was set up
For Intellectual Property Cases
TLS certificates help prove that infringing content was hosted on a specific domain operated by a specific entity — particularly valuable when the domain owner is identified through OV or EV certificate data.
For Regulatory Compliance
When capturing evidence of regulatory violations on websites, TLS certificate data proves the content was served by the actual regulated entity — not a parody or impersonation site.
Key Takeaway
TLS certificates are the internet's identity verification system. When preserved as part of a forensic evidence package, they provide independently verifiable proof that content came from an authenticated server. Combined with HAR network logs and cryptographic hashing, TLS certificate data transforms a capture from "an image that could be anything" into "verified content from an identified source." For any evidence that may face legal scrutiny, this distinction is critical.