Forum Discussion

Andrew_Jones's avatar
Andrew_Jones
Icon for Nimbostratus rankNimbostratus
Nov 04, 2021

Trusted Certificate Authorities

Can anyone tell me what in the certificate is being checked when you have "Trusted Certificate Authorities" configured

3 Replies

  • Hi Andrew,

    May need some more context on this question.

     

    When you ask what exactly is being checked in a PKI certificate to validate it: It's taking the signature (encrypted hash) from the server certificate and decrypt that using the public-key of the signer. Then, comparing this value against the result of calculating your own hash of the server certificate.

     

    The "Trusted Certificate Authorities" point to the valid signing chains for the certificate you expect to see from your server.

     

    But probably you mean something else with your question, please abbreviatie.

  • Hi Erwin

     

    thanks for your quick reply

     

    Do you know the parameters that are checked in the valid signing chain when you have a root cert in the Trusted Certificate Authorities eg date, CN

     

    Andy

     

     

     

     

  • In PKI the attributes that are used to built the CA chain are:

     

    Preferred method implemented most of the time: AKI/SKI attributes. Authority Key Identifier of the certificate points to the Subject Key Identifier of it's signer -- public key hash values.

     

    Alternative method:: Subject/Issuer attributes. Issuer of the certificate points to the Subject of it's signer -- named values.

     

    Furthermore, validity of a certificate is always checked based on the "valid to" (datetime attribute) and CRL/OCSP checks.