0

So I just came to know about Digital certificates, and this is what I understand. Public Key, Message + PK_encrypt(Hash(message))/Message Signing, And other identifiers is what a digital signature is. The Signed message is decrypted by the client and if the client computed hash of the message is identical to the signed one, then the client is sure of integrity. But How does the client makes sure of the CA? From what I understand, Some values from a CSR is signed with CA's PK and the signature is added to the digital cert that the leaf node sends to the user. The user already has the Public Key of the CA inbuilt, and can verify the authenticity of the leaf node. Am I even close to being right?

C0DEV3IL
  • 1
  • You've mostly got it right, but signatures and encryption are two separate things, you don't "decrypt" a signed message (unless it was signed and also encrypted). [This](https://security.stackexchange.com/q/20803/151903) and [this](https://security.stackexchange.com/q/87564/151903) are good references for how TLS and PKI work. – AndrolGenhald Sep 18 '19 at 02:15
  • Read the whole articles. It was written abstractly like "In some way the CA authenticates the server, that can be verified by the browser with the CA's public key" What I don't understand is what exactly comes with the server cert? are there two digital signatures? 1 for the server, and 1 for the CA? Is it that if the browser can verify the CA signature then the browser can trust? And what exactly will the message be that the browser can compute a hash of and verify authenticity? – C0DEV3IL Sep 18 '19 at 23:46
  • Are you asking something more along the lines of "What information does a certificate contain, what parts of it are signed, how is the verification done on the chain up to the root, etc?" If you edit your question to make it more clear, what you already know and what you're looking to learn, and to clearly show how the current duplicate does not answer it, the question might be reopened or someone might find a better duplicate that could explain this for you. – AndrolGenhald Sep 21 '19 at 20:14
  • I studied wiki, and found that after the company verification is complete, the CA signs the Requester's Public key and the server sends the digital signature of it's own public key signed by CA. That's all I wanted to know. That how can a user know if the CA is who it claims to be. As now the user has the CA's public key, it can verify if the signature signed by the CA is authentic or not. Thanks guys :-) – C0DEV3IL Sep 21 '19 at 21:53

0 Answers0