Digital Certificate Life Cycle and Validation
What is certificate
A electronic document with the following info
- Who issued the certificate
- Who the certificate is issued to
- Valid to date (expiry date)
- Public key
- Digital signature
Hash value of the certificate, used private key to sign the key -> digital signature
To validate, apply public key to digital signature to get back the hash value
X.509 Digital Certification
Certificate trust model
There will be CA , the OS installed the CA certificate, so all certificate signed by that CA will be trusted too
Lifecycle
- CA (certificate authority) receives a certificate request
- If the request is authorized, the CA issues the certificate
- The certificate is delivered to the user, host or service
- Application with the PKI (public key infrastructure) uses the certificate correspondingly to its usage and purpose
- The certificate expires, or is revoked prior to expiry, then it is impossible to use the certificate
- CA receives a request to renew the existing authorized. If it is authorized, the certificate is renewed and can be used again
Validating digital signature
- Check digital signature
- check if website address is the same as defined on certificate
- If people changed the website address on certificate, digital signature won't match
Validating certificates
There are 2 stages
- A certificate is correct (trusted) only if it was signed by a trusted CA, and that's why trusted root CA are downloaded first. At this stage the system checks certificates subbmitted bby AIA (Authority Information Access) points and the group poliucy applocan;e for the computer as well as certificate cached earlier
- Next System checks the validaity of all cerificates on the path between the trusted CA and the checked certifcate