0

What is the process of validating that a ssl certificate I try to validate is really signed by CA I trust? What is the part of the certificate (The one I try to validate) is the one cant be faked? From what I understand there should be some data encrypted (and possibly hashed) by the CA private key, so I can decrypt it with the public key of the CA certificate in my trust store and compare hashes.

More specifically:

How is the verification of the CA (whole chain) is performed? How can I know that the certificate I try to verify didn't just say "Yep, Verisign signed me." I know it's done with a digital signature, but what field of the certificate is used to perform this signature to verify the CA?

user256948
  • 1
  • 1
  • 1
    Does this answer your question? [SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?](https://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity) - Don't get stuck on the fact that it mentions browsers; the validation process is identical. – vidarlo May 08 '21 at 15:17
  • You bolded the last question, but the duplicate still answers you. – schroeder May 08 '21 at 16:08
  • I am sorry but I read through the answer a few times and still couldn't get the answer. I understand how to digital signature works, but didn't find an answer for what field of the certificate is used to perform this action – user256948 May 08 '21 at 16:32
  • #56389 explains the chaining; to explain in detail how the signature on _one link_ works, see https://security.stackexchange.com/questions/127095/manually-walking-through-the-signature-validation-of-a-certificate (disclosure: I contributed to answer). Also, signature is not encryption 'backwards', although some people initially thought so in one case (RSA) decades ago, and certificates are not encrypted at all, only signed. – dave_thompson_085 May 09 '21 at 02:59

0 Answers0