1

Sorry for being noob, but I don't have confidence that I am understand this correctly and I could like someone to give me confirmation and help me understand.

This post helped me a lot in understanding how does the browser verify HTTPS certificate (SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?)

Here is my understanding, please correct me if I am wrong.

1) How does chain of trust works: The answer in the post described the chain of trust and how each certificate can be validated by using higher level certificate public key to verify the identity certificate.

The identity Certificate can be trusted, because the Intermediate Certificate's public key can decrypted the Identity Certificate. The Intermediate Certificate can be trusted, because the Intermediate Certificate's public key can be decrypted by the Root Certificate.

2) But then how does the browser trust the Root CA?

My understanding is that the Root CA certificate is shipped with the browser / app / OS System? So when verifying the root CA, we compare the public key and digital signature of the Root CA certificate it has embedded into the browser or OS System?

3) The installed Root CA certificate also has an expired time, it's 20 years long. When it expired, how does the browser / OS System verify the Root CA certificate anymore? We will just pray the browser will get new Root CA certificate installed into our system before it expires?

i.e.: Example of Root CA of *.google.com Root CA of google.com

Community
  • 1
King Chan
  • 579
  • 1
  • 4
  • 7
  • By the time the roots expire the certs you'll encounter online will be signed using new roots which you would either install via a software update or most likely just bundled with whatever OS will be out at that time. – André Borie Mar 07 '17 at 01:18

1 Answers1

2

The installed Root CA certificate also has an expired time, it's 20 years long. When it expired, how does the browser / OS System verify the Root CA certificate anymore?

You don't.

We will just pray the browser will get new Root CA certificate installed into our system before it expires?

It will get updated as part of standard software updates, probably long before it expires.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
  • 1) So does it mean there will be two RA CA certificate be installed into the system? One is old (current one using on the server) and one is the future one that has not yet being use? 2) Does that mean if we install a very old version of browser / curl, there is chance all https connection will fail because of root RA CA certificate outdated? – King Chan Mar 07 '17 at 08:39
  • @KingChan Yes to both. Generally there is a long phase-in period for new root certificates before they start needing to be used, but you still run into that problem on occasion. – Xiong Chiamiov Mar 26 '17 at 22:11