0

On server side, there is a public cert 'CertA', which is signed by root cert 'RootCert'.

On client side, 'RootCert' is installed already in the cert store.

When client(browser) received cert 'CertA' from server side, which filed is it used to retrieve the root cert from its cert store? Is it 'Common Name' or 'Serial Number' or 'Thumbprint'?

user1553907
  • 5
  • 3
  • Different web browsers on different OS use different locations to locate root certificates, so this question is too broad. – Lex Li Nov 27 '17 at 03:15
  • @LexLi Where the root certificates are stored is irrelevant, but it's off topic because it isn't a programming question. – user207421 Nov 27 '17 at 03:43
  • The server provides not only its certificate but a certificate *chain*, up to and including a certificate signed by a CA trusted by the client. – user207421 Nov 27 '17 at 03:44
  • @LexLi I have just elaborated the question with more details. My question is which 'filed' is used by the client to identify the root cert in its cert store. – user1553907 Nov 28 '17 at 02:56
  • Please spend enough time on materials such as this Wikipedia article, https://en.wikipedia.org/wiki/X.509 which even provides you sample certificates and in-depth analysis. – Lex Li Nov 28 '17 at 03:00

1 Answers1

0

CertA contains details identifying the certificate that it was signed by. If the client cert has that certificate installed in it's certificate store then it knows to approve CertA

For example the cert for this site includes in it details of the issuer in the Issued By section:

Common Name (CN) *.stackexchange.com Organisation (O) Stack Exchange, Inc. Organisational Unit (OU) Issued By

Common Name (CN) DigiCert SHA2 High Assurance Server CA Organisation (O) DigiCert Inc Organisational Unit (OU) www.digicert.com

mgh42
  • 132
  • 3
  • Then which field is used to find the installed cert? Is it 'Common Name' or 'Serial Number' or 'Thumbprint'? – user1553907 Nov 28 '17 at 02:42
  • 1
    To validate this end-entity certificate, one needs an intermediate certificate that matches its **Issuer** and **Authority Key Identifier**.(https://en.wikipedia.org/wiki/X.509) – user1553907 Nov 28 '17 at 03:33