Re: "To obtain a certificate from a CA you have to convince them of your credentials"
I think this article has lost the fundamental point about certificates, which is that the certificate declares that *the holder of a specific private key* has the asserted identity.
The way this article reads, you'd think that certificates are something private - something that you have to keep secure and not give away, like a passport.
This is simply not true. You can publish your certificate to anyone who wants to see it. Indeed, when you make a TLS connection, your certificate is returned directly to the person connecting, no questions asked.
The certificate is a document which binds together:
1. an identity (e.g. www.facebook.com)
2. a public key
3. a validity period
4. a signature (created by a CA using their private key)
The website has to go through a dance to convince you that they possess the *private* key which corresponds to the public key in the certificate. Then you have to validate the signature, using your local copy of the public key of the CA. And you check the current time is within the validity period.
Once you've done all this, you know that the CA asserts that the server you are talking to has the given identity.
This article leaves all mention of public/private keys until point 6, and as far as I can see, makes no mention of the intrinsic use of public/private keys with certificates. If you don't understand this, then you don't understand the risks with certificates (e.g. if your server is compromised and the private key is lost).
If you want a non-technical analogy, then the certificate is like a glass slipper. The identity is Cinderalla, the private key is her foot, and the Certificate Authority is the Fairy Godmother (who made the glass slipper to fit Cinderella's foot and no other).
The other point about certificates is that they normally make no assertion about the principal apart from "this key belongs to the owner of domain example.com". With the advent of free CAs like startssl and letsencrypt, all you need to do is to prove you can add a DNS record or receive an E-mail at the domain contact address, and you get a certificate.
In particular, a certificate provides *no* assertion that:
* This site is a particular type of institution, say a bank registered in the UK
* This site is "trustworthy" or "safe to do business with" (for some definition of those terms)
However, if you're lucky, an "EV" certificate will give you a verified company name of whoever you are talking to.