If a client sends a CSR to the CA and gets back a certificate signed by the CA, then is it standard practice for the client to verify if the certificate is indeed signed by the CA or can the client trust the CA & assume that there is no compromise (man in the middle etc).
Asked
Active
Viewed 66 times
2
-
By client, do you mean the webserver or the browser? – 700 Software Oct 07 '16 at 13:49
-
@GeorgeBailey - neither, but a native client application. – user93353 Oct 07 '16 at 14:46
1 Answers
1
Upon certificate retrieval, client executes certificate chaining engine (at least, Microsoft CryptoAPI does) and validates the certificate. This includes full certification path, trust and signature validation. Since, the certificate is signed by CA, certificate tampering will be detected immediately.
Crypt32
- 5,750
- 12
- 24