How ca.crt.pem works?

I maintains one application use allows two way ssl communication in order to do authentication and encryption for communication. I see my application use public key and private key and kept a file ca.crt.pem in their conf directory. It is the public key of CA which signs my application's Private key.

Now my question is what is the use of ca.crt.pem here? Does my application provide it's own public key and ca.crt.pem to client in order to do the verification of application's certificate?

Who is Participating?
jfk013097Connect With a Mentor Commented:
I think there is some confusion here.

There are (usually) at least three digital certificate files involved in an ssl comms link.

The public and private key pair (the first 2 of 3):
The key used to encrypt a message - or data stream is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys—a public encryption key and a private decryption key. The publicly available encrypting-key is freely available, but the private (decrypting) key should only be known only to the recipient.

Information is encrypted with the recipient's public key and can only be decrypted with the corresponding private key. The keys are related mathematically, but the private key cannot realistically be derived from the public key - at least not with current mathematics/physics.

Then there is the CA, or Certificate Authority (the 3rd and final part).

A CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon that certificate. There are a number of these, varying between the commercial ones such as Verisign, Thawte etc. and the free ones llike - and whilst the latter offers perfectly valid certificates, most browsers do not recognize the authenticity of that "root" certificate authority simply because they do not have that certificate bundled with them when they get installed, and will pop up alarming warning messages on encountering a site which is secured by a certificate which refers to that "CA" - it does not mean the security is any less, only that the browser has no authoritative knowledge of that CA. Large corporates and government institutions may initiate their own certificate authorities.

So, in answer to your question, I suspect the ca.crt.pem file you refer to is actually the Certificate Authorities digital certificate - not either your private or pubic key (which can often be contained in the same ascii file)

Hope that helps - it's quite a complex subject.

Ask away if you would like more detail, or clarity.

BxozConnect With a Mentor Commented:
ca.crt.pem is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

wikipedia :
beer9Author Commented:
Hi Jfk, Thanks for the detailed explanation.

I would like to know if I have CA's cert and my own cert(public key) which was signed by CA. Then How can I verify whether CA has signed my public key(cert)? If I use below openssl command then which information would be required to confirm it? Signature? Thanks!

openssl x509 -in mycert.pem -noout -text
openssl x509 -in cacert.pem -noout -text

Open in new window

Hi beer9

The openssl command to interrogate keys/certificates varies depending on the type.

To verify your CA (in your case cacert.pem by the sound of it) use the following:

    openssl x509 -in cacert.pem -text -noout

and look for the line near the top of the output which begins "Data:" - this will tell you everything about the ca cert such as the issuer, the validity period and serial number.

To check a private key:

   openssl rsa -in privateKey.key -check

in general to check a certificate:

   openssl x509 -in certificate.crt -text -noout

you can also use the openssl command to check the validity of a certificate on a remote host like so:

   openssl s_client -connect

which will display the certifiate info for HSBC UK's web server. You can also use openssl to convert between different types of certificate should you have applications which require that.

Anything else I can help with?

beer9Author Commented:
Thank you! :-)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.