1

I am trying to understand how SSL works (to know it better); I got some understanding of the concepts by referring to various online materials and docs.

The basis is: A browser receives a certificate that is signed by a valid CA. Now, for the browser to check if Certificate is actually from that CA, it will use the public key of that CA, which is installed in the browser. This is where my doubt starts.

How does the browser receive public key of a Valid CA (for example, Symantec) and then ensure that public key is actually from that Valid CA?

This seems hen and chicken problem to me; I am not an expert in this subject, I am trying to understand to shy away from my confusion.

Any help in understanding appreciated.

CuriousMind
  • 8,301
  • 22
  • 65
  • 134
  • 3
    Either your browser (Firefox) or your OS ships with a set of trusted CA certificates. You trust the OS/broswer. – Jonathon Reinhart Jul 28 '20 at 10:39
  • 1
    @JonathonReinhart: Thanks for your comment. Is this the only way? If a new CA comes in the market, how will the browser get the cert for that new CA? Any pointer to understand this, please. – CuriousMind Jul 28 '20 at 11:05
  • 2
    1.The public key is in the certificate. 2. The certificate is signed by another public key contained in another certificate. Ultimately your browser has a set of trusted root certificates such that it trusts that the public keys in those certificates belong to those certificates, and that it trusts certificates signed by the owners of those certificates, and so on back down to the terminal certificate being validated. – user207421 Jul 28 '20 at 11:34
  • 1
    @CuriousMind: If a new CA comes into the market then the browser or OS will need to ship a software update containing the new CA's root certificates. – President James K. Polk Jul 28 '20 at 12:06
  • Thanks for sharing the details. A follow up: What happens when CA's root certs (which are present in browser) expires? How will it get the latest cert/public key for CA? – CuriousMind Jul 28 '20 at 12:15
  • 1
    It's just a new CA – Jonathon Reinhart Jul 28 '20 at 22:49
  • 1
    See this Answer: https://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified – Askar Aug 28 '22 at 07:51

0 Answers0