Digital Certificate Life Cycle and Validation

What is certificate

A electronic document with the following info

  1. Who issued the certificate
  2. Who the certificate is issued to
  3. Valid to date (expiry date)
  4. Public key
  5. Digital signature
    Hash value of the certificate, used private key to sign the key -> digital signature

To validate, apply public key to digital signature to get back the hash value

X.509 Digital Certification

Certificate trust model

There will be CA , the OS installed the CA certificate, so all certificate signed by that CA will be trusted too

Lifecycle

  1. CA (certificate authority) receives a certificate request
  2. If the request is authorized, the CA issues the certificate
  3. The certificate is delivered to the user, host or service
  4. Application with the PKI (public key infrastructure) uses the certificate correspondingly to its usage and purpose
  5. The certificate expires, or is revoked prior to expiry, then it is impossible to use the certificate
  6. CA receives a request to renew the existing authorized. If it is authorized, the certificate is renewed and can be used again

Validating digital signature

  1. Check digital signature
  2. check if website address is the same as defined on certificate
  3. If people changed the website address on certificate, digital signature won't match

Validating certificates

There are 2 stages

  1. A certificate is correct (trusted) only if it was signed by a trusted CA, and that's why trusted root CA are downloaded first. At this stage the system checks certificates subbmitted bby AIA (Authority Information Access) points and the group poliucy applocan;e for the computer as well as certificate cached earlier
  2. Next System checks the validaity of all cerificates on the path between the trusted CA and the checked certifcate

References