Forum Discussion

Nimbostratus

Aug 18, 2017

How any Browser know about certificate

How the certificate is imported in browser while accessing any URL with Client SSL profile? In other way how browser get to know about certificate & its valid info. Are certificates stores in any fol...

Cumulonimbus

Aug 18, 2017

Hi,

browser stores a list of trusted certificate authority, installed with the browser or using OS trusted CA list.

Here's how the TLS handshake works (source https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/😞

  Client                                 Server
    |                                      |
    |  ----------- ClientHello --------->  |
    |                                      |
    |  <---------- ServerHello ----------  |
    |  <---------- Certificate ----------  |
    |                 ...                  |
    |  <-------- ServerHelloDone --------  |
    |                 ...                  |

when server send certificate, it must include all certificates between server certificate and root CA (stored in the browser) but not the root CA.

if one intermediate certificate is missing in the chain, the certificate will not be validated.

When Client receive the certificate, it will check against OCSP or CRL services if the certificate is not revoked. (the server can have included the OCSP result with the certificate, this function is called OCSP stapling)

After that, the browser will keep in memory the certificate used for the connection.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)