Let me try it in layman's terms. A "certificate" isn't really a license. It's more like a letter of recommendation. A "certificate authority" is a trusted entity that issues a digital certificate saying "we know who this website is and they are legit". [The certificate is actually an encryption key - see Ned's reply.] The web site and those who use it have to trust the certificate issuer to have verified it. Your browser checks for a valid certificate from a known issuing authority but you can tell it to accept one from an authority the browser does not recognize, or even to accept one that is out of date or otherwise invalid. It's not real unusual for a certificate to be expired - they often don't get renewed until web site or server users start complaining! It's also common for small, privately operated web sites to issue their own certificate. If the data being passed back and forth is not real critical (e.g. forum messages, blogs, etc.) there is little need to worry about imposters, so accepting a site certificate from an unknown issuing authority isn't much risk. However, you might want to avoid sending any important private data via that site unless you are really sure you know who they are and what they might do with your data.