https://stackoverflow.com/questions/19715698
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThe complete validation mechanism is described in the RFC 5280, section 6.
In brief:
Certificate validation is not a one-step process. It's a complex procedure that involves validation of certificate chain from the end-entity certificate (the one being validated) to CA certificate and up to the trusted root certificate. For each certificate in the chain the following steps are taken:
- Analyzing the certificate itself (values of different certificate fields and extensions)
- Checking certificate integrity with CA certificate
- Checking certificate revocation status in Certificate Revocation Lists and using OCSP protocol
As CRLs and OCSP responses are signed using certificates, those certificates are validated as well, giving us extra certificate chains.
So you end up validating not a single certificate, and not a chain of certificates, but a tree of certificates.
