When you establish a new SSL connection, during handshake the server sends you his certificate together with public key. Then the browser checks the certificate againts CA. However I do not understand based on what the CA decides that the server I want to talk to is the corrent one ? Is it based on the IP address ?
Asked
Active
Viewed 18 times
0
-
*" what the CA decides that the server I want to talk to is the corrent on"* - the CA "decides" nothing. It has no active role in validation of the certificate. – Steffen Ullrich Apr 15 '21 at 15:13
-
If the certificate is public and everyone can ask the server to send the certificate, what is preventing me from stealing it ? – Dakado Apr 15 '21 at 19:03
-
The fact that the certificate is public but the matching private key not. And the private key is needed to prove ownership of the certificate inside the TLS handshake, i.e. "authentication". – Steffen Ullrich Apr 15 '21 at 19:22