Skip to content
All writing Part 01 of 06 · PKI & TLS Behind a Migration Ticket
Engineering · 3 min read

TLS Basics, and Why There Are Three Certificate Files

TLS does two jobs: encryption and identity. Identity needs three files, not one. root_ca verifies them; certificate plus private_key proves you. Here's the split.

First, the words. TLS (older name: SSL) is the protocol that secures a network connection. It does two separate jobs, and it helps to keep them apart:

  • Encryption. Both sides agree on a shared secret key during a short setup called the handshake, then use it to scramble the traffic so nobody in between can read it.
  • Identity. Each side can prove who it is with a certificate, a digital ID document signed by a Certificate Authority (CA), an issuer everyone agrees to trust.

The handshake in plain steps: the client says hello, the server sends its certificate, the client checks that a CA it trusts signed that certificate, both sides derive the same secret key without ever sending it across, and then the real, encrypted data flows.

Where people get lost is that identity needs three files, not one. They look alike and they are not:

root_ca.pem verifies THEM the trust anchor not secret certificate.pem your public ID signed by the CA not secret private_key.pem proves it's YOURS never sent SECRET
You check the other side with root_ca; you prove yourself with certificate plus private_key. Only the private key is secret.
FileWhat it isSecret?
root_ca.pemthe trust anchor: proves the other side’s certificate is legitno
certificate.pemyour own public ID, signed by the CAno
private_key.pemthe matching secret that proves the ID is really yours (never sent)yes

Rule of thumb: you check the other side with root_ca, and you prove yourself with certificate plus private_key. (.pem is just a common text format for storing these.)

In this migration: the deploy puts exactly these three files next to pixel-service so it can speak TLS to the Kafka server on port 9093. Leaking private_key.pem would hand someone your identity, so the verify script deletes it on exit.

root_ca checks them. certificate plus private_key proves you. Mix the roles up and nothing connects.


References

Related: these three files are what makes the Kafka client’s SSL config work, and the difference between showing one cert or two is one-way vs mutual TLS. Back to the overview: two SSLs behind one migration ticket.

Tags #tls #security
// connect

Be brave | Be wise | Be grateful

21 BreakinCode

// elsewhere
LinkedInMedium (lang: en)Life RecordYoutube
wh:~$William Hung· © 2026 Taipei · GMT+8 · Available for collaboration