Server authentication using certificate (process)

What I understand so far:

  • The CA(Certificate authority) has a key and builds a certificate using that key
  • The server has a key and builds a csr(Certificate Signing Request) with that key
  • Then using both the CA crt and key as well as the server csr the CA builds a server certificate
  • To authenticate a server the client uses the CA (its certificate) like this:

    4.1. The client receives the server certificate

    4.2. The client verifies that this certificate is authenticated by the certificate of the CA that it has (using the public key of the CA), it also verifies that the serial number of this certificate is not in the CRL (certificate revocation list)

    4.3. The client generates a symmetric key and encrypts it using the public key giving by the server and sends it to the server

    4.4. All communication starting from now is then encrypted using this symmetric key

  • Here is where I am still a bit confused:

  • The client uses the CA public key to verify the server certificate in step 4.2 but how does a match occur since the client only has the certificate of the CA? I mean unless the server csr passed to the CA has the same information verified by the client as the crt of the CA that the client has, how can a match occur?

  • Since anyone can have the server certificate I am assuming the only step that insures that only the server can communicate with the client is step 4.3 where only the server can have the symmetric key because only the server has the private key so only it can decrypt this encrypted symmetric key. Is this correct?

  • I am also not sure of all the steps or if I missed any steps.


  • 我找到了一个答案(ssl证书如何验证?),它回答了我的问题的第一部分,然后幸运的是有人在评论中发布了一个链接来回答其他问题:http://www.moserware.com/2009/06/first -few-毫秒-OF-https.html

    链接地址: http://www.djcxy.com/p/21786.html

    上一篇: 如何在我的设备上安装可信的CA证书?

    下一篇: 使用证书的服务器认证(进程)