Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How ca.crt.pem works?

Posted on 2011-02-19
Medium Priority
Last Modified: 2012-05-11
I maintains one application use allows two way ssl communication in order to do authentication and encryption for communication. I see my application use public key and private key and kept a file ca.crt.pem in their conf directory. It is the public key of CA which signs my application's Private key.

Now my question is what is the use of ca.crt.pem here? Does my application provide it's own public key and ca.crt.pem to client in order to do the verification of application's certificate?

Question by:beer9
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Assisted Solution

Bxoz earned 1000 total points
ID: 34934470
ca.crt.pem is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

wikipedia :

Accepted Solution

jfk013097 earned 1000 total points
ID: 34934792
I think there is some confusion here.

There are (usually) at least three digital certificate files involved in an ssl comms link.

The public and private key pair (the first 2 of 3):
The key used to encrypt a message - or data stream is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys—a public encryption key and a private decryption key. The publicly available encrypting-key is freely available, but the private (decrypting) key should only be known only to the recipient.

Information is encrypted with the recipient's public key and can only be decrypted with the corresponding private key. The keys are related mathematically, but the private key cannot realistically be derived from the public key - at least not with current mathematics/physics.

Then there is the CA, or Certificate Authority (the 3rd and final part).

A CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon that certificate. There are a number of these, varying between the commercial ones such as Verisign, Thawte etc. and the free ones llike - and whilst the latter offers perfectly valid certificates, most browsers do not recognize the authenticity of that "root" certificate authority simply because they do not have that certificate bundled with them when they get installed, and will pop up alarming warning messages on encountering a site which is secured by a certificate which refers to that "CA" - it does not mean the security is any less, only that the browser has no authoritative knowledge of that CA. Large corporates and government institutions may initiate their own certificate authorities.

So, in answer to your question, I suspect the ca.crt.pem file you refer to is actually the Certificate Authorities digital certificate - not either your private or pubic key (which can often be contained in the same ascii file)

Hope that helps - it's quite a complex subject.

Ask away if you would like more detail, or clarity.


Author Comment

ID: 34987077
Hi Jfk, Thanks for the detailed explanation.

I would like to know if I have CA's cert and my own cert(public key) which was signed by CA. Then How can I verify whether CA has signed my public key(cert)? If I use below openssl command then which information would be required to confirm it? Signature? Thanks!

openssl x509 -in mycert.pem -noout -text
openssl x509 -in cacert.pem -noout -text

Open in new window


Expert Comment

ID: 34987256
Hi beer9

The openssl command to interrogate keys/certificates varies depending on the type.

To verify your CA (in your case cacert.pem by the sound of it) use the following:

    openssl x509 -in cacert.pem -text -noout

and look for the line near the top of the output which begins "Data:" - this will tell you everything about the ca cert such as the issuer, the validity period and serial number.

To check a private key:

   openssl rsa -in privateKey.key -check

in general to check a certificate:

   openssl x509 -in certificate.crt -text -noout

you can also use the openssl command to check the validity of a certificate on a remote host like so:

   openssl s_client -connect

which will display the certifiate info for HSBC UK's web server. You can also use openssl to convert between different types of certificate should you have applications which require that.

Anything else I can help with?


Author Closing Comment

ID: 35036370
Thank you! :-)

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question