How ca.crt.pem works?

Posted on 2011-02-19
Last Modified: 2012-05-11
I maintains one application use allows two way ssl communication in order to do authentication and encryption for communication. I see my application use public key and private key and kept a file ca.crt.pem in their conf directory. It is the public key of CA which signs my application's Private key.

Now my question is what is the use of ca.crt.pem here? Does my application provide it's own public key and ca.crt.pem to client in order to do the verification of application's certificate?

Question by:beer9
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Assisted Solution

Bxoz earned 250 total points
ID: 34934470
ca.crt.pem is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

wikipedia :

Accepted Solution

jfk013097 earned 250 total points
ID: 34934792
I think there is some confusion here.

There are (usually) at least three digital certificate files involved in an ssl comms link.

The public and private key pair (the first 2 of 3):
The key used to encrypt a message - or data stream is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys—a public encryption key and a private decryption key. The publicly available encrypting-key is freely available, but the private (decrypting) key should only be known only to the recipient.

Information is encrypted with the recipient's public key and can only be decrypted with the corresponding private key. The keys are related mathematically, but the private key cannot realistically be derived from the public key - at least not with current mathematics/physics.

Then there is the CA, or Certificate Authority (the 3rd and final part).

A CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon that certificate. There are a number of these, varying between the commercial ones such as Verisign, Thawte etc. and the free ones llike - and whilst the latter offers perfectly valid certificates, most browsers do not recognize the authenticity of that "root" certificate authority simply because they do not have that certificate bundled with them when they get installed, and will pop up alarming warning messages on encountering a site which is secured by a certificate which refers to that "CA" - it does not mean the security is any less, only that the browser has no authoritative knowledge of that CA. Large corporates and government institutions may initiate their own certificate authorities.

So, in answer to your question, I suspect the ca.crt.pem file you refer to is actually the Certificate Authorities digital certificate - not either your private or pubic key (which can often be contained in the same ascii file)

Hope that helps - it's quite a complex subject.

Ask away if you would like more detail, or clarity.


Author Comment

ID: 34987077
Hi Jfk, Thanks for the detailed explanation.

I would like to know if I have CA's cert and my own cert(public key) which was signed by CA. Then How can I verify whether CA has signed my public key(cert)? If I use below openssl command then which information would be required to confirm it? Signature? Thanks!

openssl x509 -in mycert.pem -noout -text
openssl x509 -in cacert.pem -noout -text

Open in new window


Expert Comment

ID: 34987256
Hi beer9

The openssl command to interrogate keys/certificates varies depending on the type.

To verify your CA (in your case cacert.pem by the sound of it) use the following:

    openssl x509 -in cacert.pem -text -noout

and look for the line near the top of the output which begins "Data:" - this will tell you everything about the ca cert such as the issuer, the validity period and serial number.

To check a private key:

   openssl rsa -in privateKey.key -check

in general to check a certificate:

   openssl x509 -in certificate.crt -text -noout

you can also use the openssl command to check the validity of a certificate on a remote host like so:

   openssl s_client -connect

which will display the certifiate info for HSBC UK's web server. You can also use openssl to convert between different types of certificate should you have applications which require that.

Anything else I can help with?


Author Closing Comment

ID: 35036370
Thank you! :-)

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
Imagine a situation that you have installed SSL ( Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : All lightning effects with instructions : http://www.mediaf…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question