Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>First of all we need to distinguish server-side and client-side certificates. </p> <p>In most cases only the server-side certificate is used. It is used to let the client verify the authenticity of the server that the client has connected to by validating the server's certificate (validation procedure will be described below). Doing this should prevent man-in-the-middle (MITM) attack. </p> <p>Client-side certificate is used when we need to restrict access to the server to only some set of users. To do this the client authenticates itself with the certificate. As the set of users is usually limited (by some criteria, it can be quite large in real life), validation procedure is often a bit different from the server cert validation procedure. </p> <p>Next, about validation itself.</p> <p>When validating the server's certificate on the client, the client takes the following steps:</p> <ol> <li>Find issuer (CA) certificate and check the signature of the server's certificate using issuer certificate (technical details skipped). </li> <li>Check certificate validity period (from when to when the certificate should be accepted).</li> <li>Check certificate intended usage (each certificate can be restricted to only some purposes). </li> <li>Check that the certificate has been issued for domain name (or IP address) that the server is located on. </li> <li>Check that the certificate has not been canceled (revoked) by the CA. This is done by checking certificate revocation lists (CRL) and by sending an on-the-fly request using OCSP protocol. </li> <li>As CRLs and OCSP responses are signed using certificates, their signatures are also validated as described above.</li> <li>The procedure is repeated for the CA certificate mentioned in step (1) and this goes on until you get to trusted root CA certificate (it is assumed that the client has a set of trusted root certificates). </li> </ol> <p>When the server validates client's certificate, the above procedure is usually simplified because the same system is a CA and a server access to which is verified. In this case certificates can be either matched directly to the list of allowed certificates or most of the above steps can be unnecessary. </p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload