Solved

Trusted SSL Certificate vs non-trusted SSL certificate

Posted on 2014-03-24
2
407 Views
Last Modified: 2014-03-26
Could someone please explain what the difference is between a trusted certificate and a non-trusted certificate>

Thanks
0
Comment
Question by:Anthony Lucia
2 Comments
 
LVL 29

Assisted Solution

by:becraig
becraig earned 250 total points
ID: 39950873
The short answer is a "Trusted Certificate" is a certificate authority publicly trusted.

e.g.
If you call a website with SSL the idea behind using SSL is that the content is encrypted between server and client. A trusted publisher is regulated by government authorities etc and their root and Intermediate certificates are distributed with OS's such as windows etc.

Anyone can be a Certificate Authority (with the right software) as such anyone can issue a certificate, the difference being if the ROOT and Intermediate certificates are not trusted by your computer it will be an untrusted certificate, since unlike publicly trusted Authorities, your root and intermediates certificates are not known to the computer / user.

That is the short answer.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 250 total points
ID: 39955288
Verifying a certificate as "trusted" is actually a pretty complex process.

In order to be trusted, the certificate must be valid, and must have either a CN or a SAN entry that matches the site you are trying to connect to (for server certificates; for email, they must have the email address of the user, and there is usually no special condition for a client certificate).

In order to be valid, the certificate must be:
a) within its validity date range
b) have a purpose appropriate to the thing you are attempting to do (you can get different sorts of certificate, so an email certificate is rarely also valid as a webserver certificate)
c) have a correct signature
d) be signed by a certificate that is itself trusted

Which brings us to certificate chains. one of the purposes a certificate CAN have is as a signing (CA) certificate, and only such certificates are allowed to sign other certificates (although any certificate can sign itself) - You can have an entire chain of such certificates, and need not have the entire chain available at the start of verification (however, a certificate will not be trusted unless you either have or can fetch the signing certificate, and the signing certificate itself is valid)

Finally, each certificate chain must end with a certificate that is in your local trust store; windows has such a store, as do all browsers and the java environment. The trusting application will check first the chain, then when it finds a certificate that is signed by itself, will look for that in its local trust store - should it find it, then the chain (and hence the certificate itself) is trusted, otherwise you have a valid (but untrusted) chain and hence a valid (but untrusted) certificate.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question