Public Key Infrastructure and Certificate Services on Windows Server 2003

Validating Certificates

When a computer receives a certificate that is to be used to prove the identity of an entity the CA is also involved, though not directly. Specifically, the CA’s root certificate is involved. The root certificate is the certificate that was created by the CA administrator when the CA was installed, and is distributed to all entities that trust the CA.

Certificate chain information stored in a certificate

This is an example of my personal email certificate. Contained in the certificate is the name of the CA that issued the certificate. In this case the Personal Freemail RSA 2000.8.30 CA issued the certificate. The Thwarte Personal Freemail CA issued this CA’s certificate. In order for an entity to validate that my certificate is valid, and hence that I am who I claim to be (the public key will be used to validate a digital signature) the entire chain must be verified and trusted. Below is an example of the procedure that would accomplish verification of Alice’s certificate.

  1. Bob receives Alice’s certificate and verifies that the certificate has not expired.
  2. The certificate is then examined to determine which CA issued the certificate.
  3. If the CA is a trusted CA, then the CA’s certificate is retrieved and the public key of the CA is used to decrypt the hash on Alice’s certificate.
  4. The decrypted hash is compared with a new hash that Bob generates and if they match, then the certificate is valid and has not been tampered with.
  5. Bob is able to trust Alice’s public key, and decrypt data sent by Alice.

It is important to note that this example only uses a single CA. In the case of my certificate above, there are multiple CA’s in the trust chain. This procedure would be repeated for each certificate in the chain until the root CA is reached. The root CA uses a special kind of certificate called a self-signing certificate. In other words, we implicitly trust that the CA is who they claim to be, there is no technical verification.