How ca.crt.pem works?

Posted on 2011-02-19
Last Modified: 2012-05-11
I maintains one application use allows two way ssl communication in order to do authentication and encryption for communication. I see my application use public key and private key and kept a file ca.crt.pem in their conf directory. It is the public key of CA which signs my application's Private key.

Now my question is what is the use of ca.crt.pem here? Does my application provide it's own public key and ca.crt.pem to client in order to do the verification of application's certificate?

Question by:beer9
  • 2
  • 2

Assisted Solution

Bxoz earned 250 total points
Comment Utility
ca.crt.pem is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

wikipedia :

Accepted Solution

jfk013097 earned 250 total points
Comment Utility
I think there is some confusion here.

There are (usually) at least three digital certificate files involved in an ssl comms link.

The public and private key pair (the first 2 of 3):
The key used to encrypt a message - or data stream is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys—a public encryption key and a private decryption key. The publicly available encrypting-key is freely available, but the private (decrypting) key should only be known only to the recipient.

Information is encrypted with the recipient's public key and can only be decrypted with the corresponding private key. The keys are related mathematically, but the private key cannot realistically be derived from the public key - at least not with current mathematics/physics.

Then there is the CA, or Certificate Authority (the 3rd and final part).

A CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon that certificate. There are a number of these, varying between the commercial ones such as Verisign, Thawte etc. and the free ones llike - and whilst the latter offers perfectly valid certificates, most browsers do not recognize the authenticity of that "root" certificate authority simply because they do not have that certificate bundled with them when they get installed, and will pop up alarming warning messages on encountering a site which is secured by a certificate which refers to that "CA" - it does not mean the security is any less, only that the browser has no authoritative knowledge of that CA. Large corporates and government institutions may initiate their own certificate authorities.

So, in answer to your question, I suspect the ca.crt.pem file you refer to is actually the Certificate Authorities digital certificate - not either your private or pubic key (which can often be contained in the same ascii file)

Hope that helps - it's quite a complex subject.

Ask away if you would like more detail, or clarity.


Author Comment

Comment Utility
Hi Jfk, Thanks for the detailed explanation.

I would like to know if I have CA's cert and my own cert(public key) which was signed by CA. Then How can I verify whether CA has signed my public key(cert)? If I use below openssl command then which information would be required to confirm it? Signature? Thanks!

openssl x509 -in mycert.pem -noout -text
openssl x509 -in cacert.pem -noout -text

Open in new window


Expert Comment

Comment Utility
Hi beer9

The openssl command to interrogate keys/certificates varies depending on the type.

To verify your CA (in your case cacert.pem by the sound of it) use the following:

    openssl x509 -in cacert.pem -text -noout

and look for the line near the top of the output which begins "Data:" - this will tell you everything about the ca cert such as the issuer, the validity period and serial number.

To check a private key:

   openssl rsa -in privateKey.key -check

in general to check a certificate:

   openssl x509 -in certificate.crt -text -noout

you can also use the openssl command to check the validity of a certificate on a remote host like so:

   openssl s_client -connect

which will display the certifiate info for HSBC UK's web server. You can also use openssl to convert between different types of certificate should you have applications which require that.

Anything else I can help with?


Author Closing Comment

Comment Utility
Thank you! :-)

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VPN or Socks 5 75
IIS on 2012 R2 server local access works, remote does not 12 50
SSL certificate pack 6 101
RDP Sonicwall 8 22
Imagine a situation that you have installed SSL ( Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now