Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Trusted SSL Certificate vs non-trusted SSL certificate

Posted on 2014-03-24
2
Medium Priority
?
452 Views
Last Modified: 2014-03-26
Could someone please explain what the difference is between a trusted certificate and a non-trusted certificate>

Thanks
0
Comment
Question by:Anthony Lucia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 29

Assisted Solution

by:becraig
becraig earned 1000 total points
ID: 39950873
The short answer is a "Trusted Certificate" is a certificate authority publicly trusted.

e.g.
If you call a website with SSL the idea behind using SSL is that the content is encrypted between server and client. A trusted publisher is regulated by government authorities etc and their root and Intermediate certificates are distributed with OS's such as windows etc.

Anyone can be a Certificate Authority (with the right software) as such anyone can issue a certificate, the difference being if the ROOT and Intermediate certificates are not trusted by your computer it will be an untrusted certificate, since unlike publicly trusted Authorities, your root and intermediates certificates are not known to the computer / user.

That is the short answer.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 1000 total points
ID: 39955288
Verifying a certificate as "trusted" is actually a pretty complex process.

In order to be trusted, the certificate must be valid, and must have either a CN or a SAN entry that matches the site you are trying to connect to (for server certificates; for email, they must have the email address of the user, and there is usually no special condition for a client certificate).

In order to be valid, the certificate must be:
a) within its validity date range
b) have a purpose appropriate to the thing you are attempting to do (you can get different sorts of certificate, so an email certificate is rarely also valid as a webserver certificate)
c) have a correct signature
d) be signed by a certificate that is itself trusted

Which brings us to certificate chains. one of the purposes a certificate CAN have is as a signing (CA) certificate, and only such certificates are allowed to sign other certificates (although any certificate can sign itself) - You can have an entire chain of such certificates, and need not have the entire chain available at the start of verification (however, a certificate will not be trusted unless you either have or can fetch the signing certificate, and the signing certificate itself is valid)

Finally, each certificate chain must end with a certificate that is in your local trust store; windows has such a store, as do all browsers and the java environment. The trusting application will check first the chain, then when it finds a certificate that is signed by itself, will look for that in its local trust store - should it find it, then the chain (and hence the certificate itself) is trusted, otherwise you have a valid (but untrusted) chain and hence a valid (but untrusted) certificate.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
What we learned in Webroot's webinar on multi-vector protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question