x.509 questions

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Just wondering what is the process that a system goes through to
an x.509 certificate.

For example, say a web client gets a certificate from a web server
that has been signed by a trusted certificate authority, how does the
check the validity?

Does client connect with the CA for this verification and if so, what
defines how this communication takes place?  Is there an RFC that
defines this?

Or does the client have a bunch of built in public keys for well

I hope I am phrasing my question correctly.  In a nutshell.  How does
client figure out if a ceritifcate is valid?  If it needs to connect
with a CA,
which RFC defines the protocol it uses for the connection?

Assuming it does have to connect with the CA, how does the client know
that it is really connected to the CA and not some other place because
Garth has mucked with the DNS server?

Thank in advance.

Re: x.509 questions


Quoted text here. Click to load it

Yes, the latter.  You need a set of trust anchors---<public key,name>
pairs that you trust.  That's something you can't really get safely
over protocol, as you indicate.  So it's assumed to be local.

Probably the easiest place to look is RFC 3280.  Section 6 describes
certificate path validation.


Site Timeline