How Certificates are used

Certificates are typically used to generate confidence in the legitimacy of a public key. Someone verifying a signature can also verify the signer's certificate, to ensure that no forgery or false representation has occurred. These steps can be performed with greater or lesser rigor depending on the context.

The most secure use of authentication involves enclosing one or more certificates with every signed message. The receiver of the message would verify the certificate using the certifying authority's public key and, now confident of the public key of the sender, verify the message's signature. There may be two or more certificates enclosed with the message, forming a hierarchical chain, wherein one certificate testifies to the authenticity of the previous certificate. At the end of a certificate hierarchy is a top-level certifying authority, which is trusted without a certificate from any other certifying authority. The public key of the top-level certifying authority must be independently known, for example, by being widely published.











SSL Server Authentication





1. Client sends https request to server
2 Server sends its certificate to the client
3. Client decides if certificate (and issuing CA) is trustworthy
4. Client validates certificate
5. Client sends to server session key - encrypted with server’s public key
6. Server decrypts session key with its private key
7. Client – Server transactions are now encrypted with session key

Certificate Chain


Relying Party Certification
A relying party builds a certificate path from the other subscriber to the relying party’s trust anchor.



Mark gets cert from Phyllis
1. Phyllis's cert signed by Red CA Mark Phyllis
2. Red's cert signed by Blue CA
3. Blue's cert signed by Green CA
Green CA is Mark's trust anchor, therefore Mark trust's Phyllis's cert.

I'm reading: How Certificates are used