How Do you Check a Certificate?

We said above that the SSL software compares a certificate to a list of known CAs. We'll describe more precisely what happens.

A CA itself has a certificate - a self-signed one in the case of a root CA. Your SSL software can store certificates (known as installing a certificate), and typically comes with the certificates of a number of well-known CAs already installed. You can install more, if you come across more CAs you wish to trust. Also, might provide automatic updates that install additional CA certificates in Internet Explorer.

When your SSL software receives an entity's certificate as part of a handshake, it compares the hierarchy of CAs named in the certificate to the installed CA certificates. If any in the hierarchy matches any in the installed list, then the entity is considered to have been certified by a known and trusted CA.

Your SSL software also needs to check that the CA's digital signature in the entity's certificate is genuine. Remember that to check a digital signature your SSL software decrypts it using its owner's public key, and then compares the resulting decrypted hash with the hash that the SSL software has itself worked out from the message (in this case the entity's certificate). The SSL software obtains the CA's public key from the CA's certificate.