Solved

What does a client do to verify a server certificate?

Posted on 2010-11-30
2
527 Views
Last Modified: 2012-05-10
My first question is What specifically does a client do to verify a certificate that it was given by a web server(or anything really) is valid?

Part 2 is I am upgrading a MS 2003 Ent enterprise CA to 2008R2 Enterprise, well really I am migrating it to a new VM with the same name and a different IP address. In the process there is a small point where the old CA will be down, the new will be up but not have the config restored yet. Will this affect any communications that were started before the migration or any new communications?
0
Comment
Question by:amylinrob
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 9

Accepted Solution

by:
losip earned 125 total points
ID: 34242851
Normally, a certificate is valid until it expires.  However, it is possible to revoke a certificate for a number of reasons (10 are defined by RFC 5280) and its serial number is published in a Certificate Revocation List (CRL).

Therefore, clients expect to periodically access the CRL, whose publishing location is defined in the certificate, to see if it has been revoked.  Few clients will immediately bomb out if the CRL is not accessible but you may see warnings logged.

There are other methods of checking certificate validity, such as Online Certificate Status Protocol (OCSP) and this is used for high status applications.

Kerberos uses symmetric cryptography and needs reliable online access to a Key Distribution Center but the migration of your CA won't affect this.

Hope this helps
0
 
LVL 11

Assisted Solution

by:MajorBigDeal
MajorBigDeal earned 125 total points
ID: 34244747
Once the client receives the server's certificate it makes the following checks. Is the date valid? Do I trust the organization that issued the cert?  Can I verify that the cert really came from that organization (by verifying the digital signature). Does the domain name match?

If all that is OK, then the client thinks the server is authentic and proceeds with the SSL handshake.   If something is wrong the it usually displays a message warning about the potential problem.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSL - Wildcard Enough?  Or, Need EV 14 80
SSL CSR question 2 47
Short term mitigation for Symantec's certs (Google's downgrading) 2 70
Connecting via HTTP / HTTPS 10 78
Requirements: root access via SSH, telnet, or other.. Alternately, access from the server administrator to run a counter-strike server, and the proper access rights to do so. Enough free disk space (and allowed to use this much, eg disk quota): 6…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question