4

I have been researching on this topic and I need to understand the exact signing and verification process when made through a trusted CA. From what I understand, this is how it works at a very high level:

  1. You buy a certificate with a trusted CA
  2. The private key of this certificate is stored securely on the server
  3. Messages are signed using the private key of this certificate
  4. On the client application, the CA store is loaded, and verification is made against it. Verification succeeds if your certificate is trusted by the CA, and fails otherwise.
  5. If the private key becomes compromised, you revoke the certificate, and you buy a new one. Any clients still verifying with the revoked certificate will fail verification.

Now my question is; since every CA has its own public key, and the client is verifying against that CA, and not directly with my public key, how is the link between the CA's public key and my own public key (which is signed with that CA) made? Is this linking function done internally by the CA?

Thanks in advance.

seedg
  • 257
  • 1
  • 7

1 Answers1

4

Now my question is; since every CA has its own public key, and the client is verifying against that CA, and not directly with my public key, how is the link between the CA's public key and my own public key (which is signed with that CA) made? Is this linking function done internally by the CA?

The certificate issued by the CA that contains your public key is signed with the issuing CAs public key. When you present this certificate to the client it must validate that the CAs signature is valid and comes from a valid CA (among other things).

If the CA is an intermediate CA then in turn the cert containing it's public key is signed by a CA higher up in the chain, continuing in the same manner until a root CA is reached. When a client validates your cert, in turn it validates all the intermediate CAs up to a root CA.

Edit: As Jenny D pointed out, the issuing CA will provide the chain back to the root CA if it is an intermediate CA. You can see this chain (e.g. in Safari) when you inspect a certificate for a website (in this case for google). (Google Internet Authority G2 being the issuing CA and GeoTrust Global CA being the root CA).

enter image description here

puzzlepalace
  • 711
  • 3
  • 11
  • 1
    Good answer. You might add tthat the server will usually need to present the intermediate certificates in order to provide a full chain back to a root certificate that is trusted by the client. – Jenny D Oct 14 '15 at 17:20