I’ve read some basics of how digital certificate works, but I don’t understand why it’s safe.
I know a DC contains company name, public key, unique ID, expiration date and it has digital signature. Also, a user can verify it by browser which has a list of root CAs and Intermediate CAs. In addition, those CAs are trusted.
But, still, I don’t understand why this will make sure the message I received from the website is from the authentic website. Say the website x has certificate DCx, and I obtained DCx (although I can’t get the private key). When another user sends request to x, somehow I’m on the route and I intercept this request. I show DCx to the user, he will verify it and it should seem authentic because it has all the valid information. Then I will be able to phish him. Please let me know what I’m missing or wrong.
Maybe the main problem is that I don't fully understand how digital certificate is verified. There are articles talk about how digital certificate is issued and what it contains, but I didn't find any information about how exactly digital certificate is verified when you are opening a website and sending requests.
PS: This question is different than How does public key encryption work? in that the other question only discuss public key, however public key is one component of digital certificate; it contains a lot more.