Public Key Infrastructure and Certificate Services on Windows Server 2003
|
Rather Have Fast and Secure Remote
Control?
|
Validating Certificates
When a computer receives a certificate that is to be used to prove the identity of an entity the CA is also involved, though not directly. Specifically, the CA’s root certificate is involved. The root certificate is the certificate that was created by the CA administrator when the CA was installed, and is distributed to all entities that trust the CA.
Certificate chain information stored in a certificate
This is an example of my personal email certificate. Contained in the certificate is the name of the CA that issued the certificate. In this case the Personal Freemail RSA 2000.8.30 CA issued the certificate. The Thwarte Personal Freemail CA issued this CA’s certificate. In order for an entity to validate that my certificate is valid, and hence that I am who I claim to be (the public key will be used to validate a digital signature) the entire chain must be verified and trusted. Below is an example of the procedure that would accomplish verification of Alice’s certificate.
- Bob receives Alice’s certificate and verifies that the certificate has not expired.
- The certificate is then examined to determine which CA issued the certificate.
- If the CA is a trusted CA, then the CA’s certificate is retrieved and the public key of the CA is used to decrypt the hash on Alice’s certificate.
- The decrypted hash is compared with a new hash that Bob generates and if they match, then the certificate is valid and has not been tampered with.
- Bob is able to trust Alice’s public key, and decrypt data sent by Alice.
It is important to note that this example only uses a single CA. In the case of my certificate above, there are multiple CA’s in the trust chain. This procedure would be repeated for each certificate in the chain until the root CA is reached. The root CA uses a special kind of certificate called a self-signing certificate. In other words, we implicitly trust that the CA is who they claim to be, there is no technical verification.
Written by Corey Hynes - Visit Website
Next post in Windows 2003:
Establishing a Root CA
Next post in PKI and Certificate Services:
Establishing a Root CA
Previous post in Windows 2003:
Domain Renaming and Repositioning
Previous post in PKI and Certificate Services:
Fundamentals of Cryptography
All Tutorials by Category:
- CCDA Study Guide
- CCNA Study Guide Chapter 01
- CCNA Study Guide Chapter 02
- CCNA Study Guide Chapter 03
- CCNA Study Guide Chapter 04
- CCNA Study Guide Chapter 05
- CCNA Study Guide Chapter 06
- CCNA Study Guide Chapter 07
- CCNA Study Guide Chapter 08
- CCNA Study Guide Chapter 09
- CCNA Study Guide Chapter 10
- CCNA Study Guide Chapter 11
- CCNA Study Guide Chapter 12
- Cognos
- Computer Hardware
A
C
D
E
F
G
H
I
L
M
N
Entire site Copyright © 1999-2007 2000Trainers.com, all rights reserved.
Content on this site may not be copied or reproduced in any way without permission.
