How are SSL certificates verified?

c-h-r-i-s-t-o-p-h
c-h-r-i-s-t-o-p-h used Ask the Experts™
on
What are different methods of verifying / authorizing SSL certificates?

Are there methods that are completed locally on the server and/or client?

Are there methods that can be completed internally in my organization?

Are there methods that require the server and/or client to touch the internet?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
The verification is part of the issuing process See Verisign, Godaddy, Thwate, or any other SSL issuing entity.
Top Expert 2014

Commented:
I agree with Mod_MarlEE, seems like a homework question.

TLS V1 standard: http://www.ietf.org/rfc/rfc2246.txt

Baed on SSL V3, SSL was developed by NetScape TLS is the RCF'ed public version of SSL.

Author

Commented:
arnold - based on what you have said, am I correct in assuming that ports 443 (and 80?) would need to be open between the server (or client?) and the issuing entity (i.e. thawte, godaddy, verisign, etc). Otherwise, SSL certs will not authorize correctly?

Would the inability for the client and/or server to reach the issuing entity cause clients to hang during initial client hello/server hello handshake?
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

nociSoftware Engineer
Distinguished Expert 2018

Commented:
No you need to study further.
port 443 just implements a very specific content (HTTP) over an SSL connection.
port 80 does implement HTTP without SSL.is
like 445 implements CIFS (more or less SMB over SSL)  and port 139 implements SMB without SSL
port 143 is IMAP and 993 IMAP + SSL  etc. etc.

A good starting point: http://www.openssl.org/docs/   this library + toolkit implements SSL (raw SSL)
for the CA part of things try http://wiki.cacert.org/     this organisation has open documentation & sources to create certificates ....

Author

Commented:
noci - allow me to clarify, I am referring specifically to HTTPS negotiation.
Software Engineer
Distinguished Expert 2018
Commented:
I understand, but the verification of HTTPS is the same as CIFS and IMAPS and SMTPS ....etc.
the method is SSL so check the SSLl documentation on that.
The implementation can be openssl, gnutls or some other. Lots of tools use openssl hence my reference too it.
OPENSSL implements certificates but not TRUST.. Trust is decided by YOU using a selection of trusted CA's
(or if you are lazy, you accept the trusted certificates of your OS/Browser/... supplier).

You need to check the implementation on the location & format of the list of trusted CA's, certificates etc.
You need to verify the chains of trust using the implementations toolkits and your own common sense.
Distinguished Expert 2017

Commented:
The signing Authorities do not and have no reason to access your sites.
When you request a certificate you present a Certificate Signing Request that includes all the information that identify you/the organization/the site depending on the purpose of the certificate.  The Signing Autority (Certificate Authority, Verisign, Thwate, etc.) have a process on how they validate that the request for the certificate is coming from the correct entity.  Once the documentation/process they have is fullfilled, they use their Certificate to sign your CSR and the result is your certificate.
The distinction between the certificate types comes based on the type of CSR you generate.
I.e. if you use www.somedomain.com, you will get a web certificate, if you use your name and use the appropriate template, you will get a user certificate.  etc.

There are two ways to verify the certificate, OCSP which "checks" at the time of access to make sure this certificate has not been revoked.  The other method deals with checking the signing path to make sure it is Trusted.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial