问题
I have been reading on x.509 certificates and I just don't quite get how the entire process works.
so this is how I understand it: the CA is some company which produces certificates. someone who wants to use one, like a bank website, contacts the CA and buys a certificate containing the public key to encode the messages for the website, which can only be decoded by the sites private key.
this is where I get confused - how does the user (some web browser), checks that the certificate it received is actually true and really came from the correct site? how does it know its still valid? what kind of checks are made to make sure everything is OK?
回答1:
The CA not only signs the certificate of the server (bank website) but also has its own certificate signed by (a CA which has its certificate signed by...) a root CA. The root CA gives its certificate to the browser vendor which includes it in its set of trusted root certificates.
The whole thing builds on the idea of a "chain of trust": Signing a certificate means "If you trust me (root or indermediate CA), than you can trust him (intermediate CA or server)". Your browser only needs to trust the root CA (which it has the certificate of) to be able to find out if it can trust the server (bank website). See https://en.wikipedia.org/wiki/Chain_of_trust
Certificates may become invalid, e.g. due to security breach (e.g. private key stolen). Such event is indicated to the CA which provides this information publicly. The browser can access this information by Certificate Revocation Lists (CRLs) or by Online Certificate Status Protocol (OCSP). Browsers should be configured in such a way as to not accept certificates which it can not verify to be still valid. See https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
来源:https://stackoverflow.com/questions/19069359/x-509-certificate-validation-process