Solved

Trusted SSL Certificate vs non-trusted SSL certificate

Posted on 2014-03-24
2
404 Views
Last Modified: 2014-03-26
Could someone please explain what the difference is between a trusted certificate and a non-trusted certificate>

Thanks
0
Comment
Question by:Anthony Lucia
2 Comments
 
LVL 29

Assisted Solution

by:becraig
becraig earned 250 total points
ID: 39950873
The short answer is a "Trusted Certificate" is a certificate authority publicly trusted.

e.g.
If you call a website with SSL the idea behind using SSL is that the content is encrypted between server and client. A trusted publisher is regulated by government authorities etc and their root and Intermediate certificates are distributed with OS's such as windows etc.

Anyone can be a Certificate Authority (with the right software) as such anyone can issue a certificate, the difference being if the ROOT and Intermediate certificates are not trusted by your computer it will be an untrusted certificate, since unlike publicly trusted Authorities, your root and intermediates certificates are not known to the computer / user.

That is the short answer.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 250 total points
ID: 39955288
Verifying a certificate as "trusted" is actually a pretty complex process.

In order to be trusted, the certificate must be valid, and must have either a CN or a SAN entry that matches the site you are trying to connect to (for server certificates; for email, they must have the email address of the user, and there is usually no special condition for a client certificate).

In order to be valid, the certificate must be:
a) within its validity date range
b) have a purpose appropriate to the thing you are attempting to do (you can get different sorts of certificate, so an email certificate is rarely also valid as a webserver certificate)
c) have a correct signature
d) be signed by a certificate that is itself trusted

Which brings us to certificate chains. one of the purposes a certificate CAN have is as a signing (CA) certificate, and only such certificates are allowed to sign other certificates (although any certificate can sign itself) - You can have an entire chain of such certificates, and need not have the entire chain available at the start of verification (however, a certificate will not be trusted unless you either have or can fetch the signing certificate, and the signing certificate itself is valid)

Finally, each certificate chain must end with a certificate that is in your local trust store; windows has such a store, as do all browsers and the java environment. The trusting application will check first the chain, then when it finds a certificate that is signed by itself, will look for that in its local trust store - should it find it, then the chain (and hence the certificate itself) is trusted, otherwise you have a valid (but untrusted) chain and hence a valid (but untrusted) certificate.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now