As I'm studying how HTTPS works, one thing baffled me a lot, that is - How does browser verify if SSL certificate is issued by trusted CA? Do browser verify this by ask CA's server? Or it's just the case that only CA can issue those certificate. Couldn't find answer anywhere, so it might be a good addition to this forum.
-
It is very basic information, but perhaps uses different terms than what you might've searched for. Also, check this: https://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified#188308 – Sas3 Jun 29 '17 at 02:36
-
The answer is not found here because it is foundational info about the basics of PKI. The answer is found on wiki. – schroeder Jun 29 '17 at 07:18
1 Answers
How does browser verify if SSL certificate is issued by trusted CA? Do browser verify this by ask CA's server? Or it's just the case that only CA can issue those certificate.
You want to read about the topic digital signature. A digital signature allows someone (the CA) to claim that they have authored a data (a certificate containing claims), in a way that are impossible to forge.
Understanding digital signature starts with Public key cryptography. The CA creates a pair of keys: private and public key, that are mathematically linked such that using their private key and a hash of the data, the CA can compute a number (the digital signature) that can be verified by other people that had the linked public key.
Browsers ships with the public keys of a number of trusted Certificate Authority, which it uses as the root of trust. Using this repository of public keys, the browser doesn't need to contact the CA to validate the signature (though note, it does need to contact the CA to verify that the signature hadn't been revoked).
- 31,089
- 6
- 68
- 93