0

Based on my understanding, a tls client trusts a server because the server sends its certificate which has been signed by the CA. How does my computer/os know which CAs are publicly trusted? Do all operating systems run programs to update a list of trusted public CAs that is stored on the client os? What happens if a CA root cert expires- do all users need to “manually” get new root certs from the CA in order to again trust servers with certs signed by that CA? I’d be specifically interested to know how this works for rhel systems if anyone knows.

I understand for private CAs this is an intervention. What I am specifically asking is for example, when I run a vm based on an image of an os, how I am able to use that vm to make a tls encrypted call to google.com without any additional configuration needed?

Liam385
  • 1
  • 1
    In short: these root CA come with the system or specific software (browsers, Java, ...) and gets updated together with the system updates or software updates. – Steffen Ullrich Oct 21 '22 at 05:46
  • **For RedHat specifically, these certs are in package `ca-certificates`** which is a dependency of many things and thus almost always installed; it is updated the same way as other packages. In practice public-CA root certs usually have lifetimes of 20 years or more and are superseded before they expire, although there was a kerfluffle last Sep when DST Root CA X3 (Digital Signature Trust, now IdenTrust) still used by LetsEncrypt for compatibility with Android versions before about 2016, expired causing errors in some sw using older OpenSSL; this and other Stacks have many Qs on it. – dave_thompson_085 Oct 22 '22 at 00:08

0 Answers0