Solved

What does a client do to verify a server certificate?

Posted on 2010-11-30
2
525 Views
Last Modified: 2012-05-10
My first question is What specifically does a client do to verify a certificate that it was given by a web server(or anything really) is valid?

Part 2 is I am upgrading a MS 2003 Ent enterprise CA to 2008R2 Enterprise, well really I am migrating it to a new VM with the same name and a different IP address. In the process there is a small point where the old CA will be down, the new will be up but not have the config restored yet. Will this affect any communications that were started before the migration or any new communications?
0
Comment
Question by:amylinrob
2 Comments
 
LVL 9

Accepted Solution

by:
losip earned 125 total points
ID: 34242851
Normally, a certificate is valid until it expires.  However, it is possible to revoke a certificate for a number of reasons (10 are defined by RFC 5280) and its serial number is published in a Certificate Revocation List (CRL).

Therefore, clients expect to periodically access the CRL, whose publishing location is defined in the certificate, to see if it has been revoked.  Few clients will immediately bomb out if the CRL is not accessible but you may see warnings logged.

There are other methods of checking certificate validity, such as Online Certificate Status Protocol (OCSP) and this is used for high status applications.

Kerberos uses symmetric cryptography and needs reliable online access to a Key Distribution Center but the migration of your CA won't affect this.

Hope this helps
0
 
LVL 11

Assisted Solution

by:MajorBigDeal
MajorBigDeal earned 125 total points
ID: 34244747
Once the client receives the server's certificate it makes the following checks. Is the date valid? Do I trust the organization that issued the cert?  Can I verify that the cert really came from that organization (by verifying the digital signature). Does the domain name match?

If all that is OK, then the client thinks the server is authentic and proceeds with the SSL handshake.   If something is wrong the it usually displays a message warning about the potential problem.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question