👍 So, you have the root cert in a generator and from that it stems? then every next one is in its own gen that stems too? Each had their own set permissions of limitations?
So is the chain of trust followed up the web server’s intermediate(s) and root installed certificates? Some descriptions sound like the browser is following the certificate chain on the client (browser)
Thanks for your question! In short, you are correct that the browser is responsible for establishing the chain of trust. To verify a certificate, a browser will obtain a sequence of certificates, each one having signed the next certificate in the sequence, connecting the signing CA’s root to the server’s certificate. For more details, check out this Venafi blog post: www.venafi.com/blog/how-does-browser-trust-certificate?
Thanks for your great question! You are correct that for security purposes, the root CA is powered off and offline, and is inaccessible whenever it’s not performing a signing operation on a subordinate CA certificate (aka 99% of the time). That being said, the PUBLIC portion of the Root CA certificate is included in the subordinate CA, plus any end-entity certificate signed by the SubCA. This means validation can continue happening even when the Root CA and/or Intermediate (aka Subordinate) is offline!
Very good explanation.
awesome explanation!
I just happened to get into root certificate and found China Financial
👍
So, you have the root cert in a generator and from that it stems? then every next one is in its own gen that stems too? Each had their own set permissions of limitations?
So is the chain of trust followed up the web server’s intermediate(s) and root installed certificates? Some descriptions sound like the browser is following the certificate chain on the client (browser)
Thanks for your question! In short, you are correct that the browser is responsible for establishing the chain of trust. To verify a certificate, a browser will obtain a sequence of certificates, each one having signed the next certificate in the sequence, connecting the signing CA’s root to the server’s certificate. For more details, check out this Venafi blog post: www.venafi.com/blog/how-does-browser-trust-certificate?
Good explanation.
Someone told me that roots cas are powered off and offline . How can it validate back up to the root of this is the case.
Thanks for your great question! You are correct that for security purposes, the root CA is powered off and offline, and is inaccessible whenever it’s not performing a signing operation on a subordinate CA certificate (aka 99% of the time). That being said, the PUBLIC portion of the Root CA certificate is included in the subordinate CA, plus any end-entity certificate signed by the SubCA. This means validation can continue happening even when the Root CA and/or Intermediate (aka Subordinate) is offline!
@@VenafiCo great. Thanks. I'm organization uses venafi and I just started using it daily and I'm trying to learn as much as possible .
@@VenafiCo Thanks very much for the question and the detailed answer. That helped me understand the concept for my company TLS Root plan as well!
Very well stated. Good stuff!
ca we directly certify by root CA removing intermediate certificate
Well done. Liked and subscribed.
Awesome, just need some diagrams for us bad listeners
PeŔfF€Ct