: FAQSSLRoot

Welcome :: Categories :: PageIndex :: RecentChanges :: RecentlyCommented :: Login/Register

What is a Trusted Root Certificate

what is a chained root certificate


Some companies operate a Trusted Root Authority. They are established companies, and they've paid good money to have their root certificates included in your web browser (whether it's Internet Explorer, Firefox, Safari, Opera, etc). Your browser will automatically "trust" any certificate that has been issued by these authorities directly. These certificates are usually issued by GeoTrust, Verisign or Thawte. Here's how it looks to your browser:

Server sends certificate to browser for verification
	                          |
Browser checks the issuing authority (eg, Thawte) on the certificate
	                          |
Browser then checks it's internal list of trusted roots.
	                          |
Browser says "OK! - I believe you are who you say you are!"



Other companies operate certificate authorities, but they aren't "trusted roots". They usually issue "Chained Certificates", based on root that is issued by one of the Trusted Roots servers. Here's how it looks to your browser:

Server sends certificate and a "chain certificate" to browser for verification
	                          |
Browser checks the issuing authority (eg, XYZ company) on the certificate
	                          |
Browser say, "I don't know who you are. But I see you were issued by XYZ and that you've included XYZ's certificate"
	                          |
Browser then checks the chain certificate and sees that it's issued by a Trusted Root
	                          |
Browser then checks it's internal list of trusted roots.
	                          |
Browser says "OK! - I believe you are who you say you are!"



You can also work with self-signed certificate. This is the kind of certificate you might encounter when using a secure login on a shared server. This certificate is still good for encrypting data, but there is no third-party verification process used to identify the server sending the certificate.

Server sends certificate and a "chain certificate" to browser for verification
	                          |
Browser checks the issuing authority (eg, XYZ company) on the certificate
	                          |
Browser say, "I don't know who you are. I see you were issued by yourself, and not by a Trusted Root"
	                          |
Browser then displays a warning dialog saying that the certificate could not be verified automatically.
	                              |
User decides whether to accept the certificate or reject the certificate.



Back to SSL FAQ
Back to Main

There are no comments on this page. [Add comment]

Page History :: 2007-07-19 15:42:26 XML :: Owner: AndrewBoring :: Search:
Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by Wikka Wakka Wiki 1.1.6.2
Page was generated in 0.0448 seconds