how do you validate the digital certificate SSL?

Question

how do you validate the digital certificate SSL? so that you know the response came from the correct website?

Answer 1

The procedure of certificate validation is described in RFC 5280 and several supplementary standards. It is quite complex and depends on what tools / libraries / components you plan to use.

In brief the steps are:

1. Find CA Certificate. If it's missing, you are out of luck in validation. If the certificate is self-signed, the user should decide if he can trust this certificate.
2. check that the certificate has been issued to the site you are connecting to (by inspecting Subject field and Subject Alternative Name extension)
3. check that the certificate could be used for SSL (inspect Key Usage field)
4. check that the certificate has not been revoked using CRLs and OCSP responder.
5. if all of the above is ok, validate CA Certificate in a similar manner. Repeat until you get up to the trusted certificate (it can be a trusted root or previously trusted CA).

We implemented complete and flexible certificate validator which does all of the above in our SecureBlackbox library.