In SSL how a certificate is matched/found in truststore?

Question

In SSL how does it check whether there is a matching certificate in the trust-store? Is it by matching the fingerprint or the serial number?

I always thought it's by matching the fingerprint, but when I ran a java SSL debug following is what I got, and I couldn't see any fingerprint there.

*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=XXXX
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 1024 bits
  modulus: XXXX
  public exponent: XXXX
  Validity: [From: Mon Mar 16 22:48:10 UTC 2015,
               To: Sun Jun 14 22:48:10 UTC 2015]
  Issuer: CN=XXXX
  SerialNumber: [    XXXXXXX]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
 ...
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
 ...

]
***

I hope this is not a duplicate question (I checked the suggested questions before posting).

Answer 1

It doesn't check whether there is a matching certificate. It checks whether there is a certificate whose subject equals the issuer of this certificate, and whose public key verifies the signature of this certificate.

Answer 2

Quite often, the Certificate Authority Key Identifier is marked as non-critical when present in the certificate to verify, and it's not even always present. You couldn't really rely on that as a fingerprint reference to use.

The verification is done by building a certification path, by chaining the Issuer DN (Distinguished Name) of the certificate to verify to the Subject DN of a CA certificate you trust.

This is described in the CertPathBuilder/CertPathValidator sections of the Java PKI Programmer's Guide. (More generally, this follows RFC 3820, since there are other attributes to check too.)

Alternatively, you can also have an exact End Entity Certificate (not a CA certificate) directly in the truststore. In this case, an exact match with the certificate can be used.