Solved

Trusted SSL Certificate vs non-trusted SSL certificate

Posted on 2014-03-24
2
412 Views
Last Modified: 2014-03-26
Could someone please explain what the difference is between a trusted certificate and a non-trusted certificate>

Thanks
0
Comment
Question by:Anthony Lucia
2 Comments
 
LVL 29

Assisted Solution

by:becraig
becraig earned 250 total points
ID: 39950873
The short answer is a "Trusted Certificate" is a certificate authority publicly trusted.

e.g.
If you call a website with SSL the idea behind using SSL is that the content is encrypted between server and client. A trusted publisher is regulated by government authorities etc and their root and Intermediate certificates are distributed with OS's such as windows etc.

Anyone can be a Certificate Authority (with the right software) as such anyone can issue a certificate, the difference being if the ROOT and Intermediate certificates are not trusted by your computer it will be an untrusted certificate, since unlike publicly trusted Authorities, your root and intermediates certificates are not known to the computer / user.

That is the short answer.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 250 total points
ID: 39955288
Verifying a certificate as "trusted" is actually a pretty complex process.

In order to be trusted, the certificate must be valid, and must have either a CN or a SAN entry that matches the site you are trying to connect to (for server certificates; for email, they must have the email address of the user, and there is usually no special condition for a client certificate).

In order to be valid, the certificate must be:
a) within its validity date range
b) have a purpose appropriate to the thing you are attempting to do (you can get different sorts of certificate, so an email certificate is rarely also valid as a webserver certificate)
c) have a correct signature
d) be signed by a certificate that is itself trusted

Which brings us to certificate chains. one of the purposes a certificate CAN have is as a signing (CA) certificate, and only such certificates are allowed to sign other certificates (although any certificate can sign itself) - You can have an entire chain of such certificates, and need not have the entire chain available at the start of verification (however, a certificate will not be trusted unless you either have or can fetch the signing certificate, and the signing certificate itself is valid)

Finally, each certificate chain must end with a certificate that is in your local trust store; windows has such a store, as do all browsers and the java environment. The trusting application will check first the chain, then when it finds a certificate that is signed by itself, will look for that in its local trust store - should it find it, then the chain (and hence the certificate itself) is trusted, otherwise you have a valid (but untrusted) chain and hence a valid (but untrusted) certificate.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question