SSL Certificate validation by web browsers [closed]

StackOverflow https://stackoverflow.com/questions/23081818

  •  03-07-2023
  •  | 
  •  

Question

I am a bit confused in understanding the SSL Certificate validation by Web Browsers.

enter image description here

Looking at the certificate which i see in firefox after connecting to google.com, it has actually three certificates in a chain :

1) GeoTrust Global CA [I guess this is root certificate]

2) Google Internet Authority G2

3) *.google.com

I know that 3 is issued by 2 and 2 is issued by 1. 1 is self-issued.

So, it means google is sending a certificate chain to the browser. How does browser validates all the three certificates ?

Is the order of validation 3->2->1 or 1->2->3 ? I don't think *.google.com will be present in Firefox's trusted certificate list as it cannot store all such website specific certificates.

What is the exact computation done by the browser to establish the trust for the certificate ?

Was it helpful?

Solution

The browser is initially set up with a set of trust anchors (the CA certificates it trusts). What these are may depend on the operating system or installation.

One of these trust anchors is GeoTrust Global CA.

When connecting to www.google.com, the server sends its certificate chain, *.google.com and Google Internet Authority G2. The browser then verifies that *.google.com was indeed signed by Google Internet Authority G2. It then looks for the issuer of Google Internet Authority G2 and tries to match it with the subject of one of the trust anchors it knows (GeoTrust Global CA). When it has found a match, it also verifies the signature of Google Internet Authority G2 using GeoTrust Global CA's public key.

There's a bit more to it than that: checking validity in time and various usage attributes.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top