What is the purpose of TLS certificates and how is trust established?

TLS certificates bind a server’s public key to its real identity, which lets a client verify who it is talking to. Trust is built through a chain of trust: the server’s certificate is issued by a Certificate Authority that the client already trusts (via a root certificate in the client’s trust store), possibly with one or more intermediate CAs. The client checks that the certificate is valid, not expired or revoked, that the hostname matches, and that the certificate’s signature chains up to a trusted root. If this validation succeeds, the client can use the server’s public key as part of the handshake to establish a secure session key; the private key remains securely on the server. The certificate itself does not store private keys and does not encrypt data directly; it enables the cryptographic operations that set up the encrypted channel. Revocation checks (CRLs or OCSP) can further ensure the certificate hasn’t been revoked.