0

I'm trying to manually verify self signed certificate but the process is not clear. I created a self signed certificate server.cert using a ca.crt file which I also created.

I provided the server.key + server.crt to my SSL server.

now, how the client suppose to verify the server.cert (assuming the server send it server.cert)?

As I understand, when creating a server.crt, the ca supposed to encrypt the Hash(server.cert) using the ca's private-key and this whole thing (including the signature) is the server certificate. so how would I validate the certificate. I suppose I somehow need to be using the ca.cert in my client side? because the ca.cert also contains the ca.public key, but what do I need to do to the server.crt to be able to say that the signature is correct?

toto
  • 1,197
  • 2
  • 15
  • 26

1 Answers1

0

The server needs to present a proper certificate, signed by any authority. That authority could be yourself, it doesn't matter. The thing is that the client doesn't trust "you" by default. The reason the client trusts certificates by other CAs is because it comes with a long list of known and trusted CAs; and "you" are not on that list. To get on that list and become trusted, you add the CA certificate to your local trust store. Typically that's managed by the operating system and details how to add a certificate to it will differ, but each individual app (e.g. browser) may also have its own trust store and not use the operating system's.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • I understand that, but my simple issue is merely this: assuming I capture the server's certificate (during the SSL handshake), what is the process of validating this certificate? I know there is an encrypted hash (which was generated by the CA) in the certificate, what would I compare it to? I need to validate that hash encryption somehow, and btw, I have the CA certificate "installed" (not really, I'm doing stuff manually) in my "client". – toto Jan 09 '18 at 15:52
  • You want to know in detail what the algorithm for validating a certificate against a trusted CA certificate is…?! You better read the specification for that. For the practical everyday use case, you never worry about that level of detail at all. If you ever need to manually validate a certificate, you use a library that implements that check (likely something binding to openssl behind the scenes) and feed it the correct certificates. I'm still not sure what your exact use case is and when you'd be "capturing" what server's certificate in [tag:node.js]. – deceze Jan 09 '18 at 16:08
  • If the server.crt is a self signed cert, is it sufficient for client to only have the CA cert in order to validate the server.crt? and if so, how is this possible? the server.crt was signed with the CA private key, so what's the point in having the ca Cert and it's public key? what is there to compare? I do not think this is too much details that need the specification reading, it is just a basic of SSL that need to come into the light =) – toto Jan 09 '18 at 16:29
  • So this has nothing really to do with self-signed certs at all; you just want to know how certificate validation works when all you as the client ever see is public keys, never the private keys used for signing. – deceze Jan 09 '18 at 16:32
  • 1
    Also see https://security.stackexchange.com/a/116268 and similar posts there. – deceze Jan 09 '18 at 16:35
  • well.. after u ask too many questions, it seems like u helped me understand what I want... =) – toto Jan 09 '18 at 16:49