Solved

What does a client do to verify a server certificate?

Posted on 2010-11-30
2
528 Views
Last Modified: 2012-05-10
My first question is What specifically does a client do to verify a certificate that it was given by a web server(or anything really) is valid?

Part 2 is I am upgrading a MS 2003 Ent enterprise CA to 2008R2 Enterprise, well really I am migrating it to a new VM with the same name and a different IP address. In the process there is a small point where the old CA will be down, the new will be up but not have the config restored yet. Will this affect any communications that were started before the migration or any new communications?
0
Comment
Question by:amylinrob
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 9

Accepted Solution

by:
losip earned 125 total points
ID: 34242851
Normally, a certificate is valid until it expires.  However, it is possible to revoke a certificate for a number of reasons (10 are defined by RFC 5280) and its serial number is published in a Certificate Revocation List (CRL).

Therefore, clients expect to periodically access the CRL, whose publishing location is defined in the certificate, to see if it has been revoked.  Few clients will immediately bomb out if the CRL is not accessible but you may see warnings logged.

There are other methods of checking certificate validity, such as Online Certificate Status Protocol (OCSP) and this is used for high status applications.

Kerberos uses symmetric cryptography and needs reliable online access to a Key Distribution Center but the migration of your CA won't affect this.

Hope this helps
0
 
LVL 11

Assisted Solution

by:MajorBigDeal
MajorBigDeal earned 125 total points
ID: 34244747
Once the client receives the server's certificate it makes the following checks. Is the date valid? Do I trust the organization that issued the cert?  Can I verify that the cert really came from that organization (by verifying the digital signature). Does the domain name match?

If all that is OK, then the client thinks the server is authentic and proceeds with the SSL handshake.   If something is wrong the it usually displays a message warning about the potential problem.
0

Featured Post

Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
The 6120xp switches seem to have a bug when you create a fiber port channel when you have a UCS fabric interconnects talking to them.  If you follow the Cisco guide for the UCS, the FC Port channel will never come up and it will say that there are n…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question