Nimbostratus
CumulonimbusHi,
browser stores a list of trusted certificate authority, installed with the browser or using OS trusted CA list.
Here's how the TLS handshake works (source https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/😞
Client Server
| |
| ----------- ClientHello ---------> |
| |
| <---------- ServerHello ---------- |
| <---------- Certificate ---------- |
| ... |
| <-------- ServerHelloDone -------- |
| ... |
when server send certificate, it must include all certificates between server certificate and root CA (stored in the browser) but not the root CA.
if one intermediate certificate is missing in the chain, the certificate will not be validated.
When Client receive the certificate, it will check against OCSP or CRL services if the certificate is not revoked. (the server can have included the OCSP result with the certificate, this function is called OCSP stapling)
After that, the browser will keep in memory the certificate used for the connection.