Solved

What does a client do to verify a server certificate?

Posted on 2010-11-30
2
522 Views
Last Modified: 2012-05-10
My first question is What specifically does a client do to verify a certificate that it was given by a web server(or anything really) is valid?

Part 2 is I am upgrading a MS 2003 Ent enterprise CA to 2008R2 Enterprise, well really I am migrating it to a new VM with the same name and a different IP address. In the process there is a small point where the old CA will be down, the new will be up but not have the config restored yet. Will this affect any communications that were started before the migration or any new communications?
0
Comment
Question by:amylinrob
2 Comments
 
LVL 9

Accepted Solution

by:
losip earned 125 total points
ID: 34242851
Normally, a certificate is valid until it expires.  However, it is possible to revoke a certificate for a number of reasons (10 are defined by RFC 5280) and its serial number is published in a Certificate Revocation List (CRL).

Therefore, clients expect to periodically access the CRL, whose publishing location is defined in the certificate, to see if it has been revoked.  Few clients will immediately bomb out if the CRL is not accessible but you may see warnings logged.

There are other methods of checking certificate validity, such as Online Certificate Status Protocol (OCSP) and this is used for high status applications.

Kerberos uses symmetric cryptography and needs reliable online access to a Key Distribution Center but the migration of your CA won't affect this.

Hope this helps
0
 
LVL 11

Assisted Solution

by:MajorBigDeal
MajorBigDeal earned 125 total points
ID: 34244747
Once the client receives the server's certificate it makes the following checks. Is the date valid? Do I trust the organization that issued the cert?  Can I verify that the cert really came from that organization (by verifying the digital signature). Does the domain name match?

If all that is OK, then the client thinks the server is authentic and proceeds with the SSL handshake.   If something is wrong the it usually displays a message warning about the potential problem.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now