4

I'm talking about SSL/TLS certificate authorities. I know that they store their private key in a very secure location. But what about their public key that our browsers use? Where does it get stored in the browser?
The browser verifies that the certificate of the web server is signed by a CA using the public key of CA; So, how and Where does the browser store this public key of CA?

Is it possible to edit these public keys thus by having physical access to someone's web browser/computer can an attacker change those public keys to their own public keys and render the CA on that particular computer/web browser useless?

Vinay Yadav
  • 103
  • 2
ATheCoder
  • 163
  • 1
  • 4
  • I‘m really not sure what you’re asking and I think there might be words missing in at least one sentence. Can you try and rephrase your question? – Tobi Nary Jan 28 '18 at 11:14
  • @SmokeDispenser What exactly is that you didn't understand? – ATheCoder Jan 28 '18 at 11:19
  • - you cannot store anything _on_ a location, - the next sentence is incomprehensible, - I’m not sure what the goal would be. Do you even know how certificates work? If you got access to the trust store, you could add your own certificate. That would be way more powerful than destroying certificates that can easily be recreated. – Tobi Nary Jan 28 '18 at 11:23
  • @SmokeDispenser I meant the server containing the private key. and You do not have access to the trusted store, that is like having access to the private key. I'm talking about the public key that is used by the web browser to validate the already issued certificate's signature; To make sure that the Certificate is actually Issued by the CA and not by anyone else claiming to be that CA. – ATheCoder Jan 28 '18 at 11:44
  • Yeah, you need to look up what a trust store is. And also, how certificate signing works. If you still have questions then, maybe you are able to bring them across in a coherent way. – Tobi Nary Jan 28 '18 at 11:45
  • Here‘s a hint: a CA certificate is the public key, signed with the private key. – Tobi Nary Jan 28 '18 at 11:48
  • @SmokeDispenser But how does the web browser know that the signature is valid? doesn't it need a public key to verify the integrity of the signature? – ATheCoder Jan 28 '18 at 12:28

1 Answers1

9

The public key of the CA is stored in the certificate of the CA. And this certificate is stored in the local trust store on the clients system. It is true that an attacker which has access to the local trust store could replace existing CA certificates or add new ones. But if the attacker has this kind of access he can do lot more harm anyway, like replacing the existing software on the system with a similar one having a backdoor or other malicious behavior.

For more information see SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? .

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • My question is how does the web browser know that the signature is valid? – ATheCoder Jan 28 '18 at 12:27
  • 2
    That in fact the signature is signed by the Issuing CA? – ATheCoder Jan 28 '18 at 12:27
  • @TheGreatA: I'm not sure what you are asking. How to find out which CA has issued the certificate is described in the link I've provided. If you want to know how digital signatures work and thus how to verify that a signature is valid and not corrupted see [how digital signature verification process works](https://security.stackexchange.com/questions/8034/how-digital-signature-verification-process-works). – Steffen Ullrich Jan 28 '18 at 12:42
  • 2
    @ATheCoder: You are referring to the trusted Certificate Authorities (CAs) whose public keys are built-in into all the browsers. This is how a browser knows whether a Certificate Authority is a valid one. In Chrome under manage certificates you can see them. This will lead us to System Roots section in keychain app in the case of MAC OS https://support.apple.com/en-us/HT202858 – firstpostcommenter Jul 07 '20 at 16:51