Mar Java Mit Java

  • Uncategorised

How a Browser Validates a Website Certificate (Detailed Step-by-Step)

by · February 6, 2025

Let’s break down how a browser validates an SSL certificate when you visit a website with a certificate issued by an Intermediate Certificate Authority (ICA) signed by a trusted Root Certificate Authority (CA).

1. Using Root CA’s Public Key to Validate ICA Certificate

  • What happens:
    The browser uses the Root CA’s public key (which it already trusts) to verify the ICA certificate signature.
  • What is decrypted/verified:
    • The Root CA digitally signs a hash of the entire ICA certificate contents, including:
      • Subject (ICA Authority)
      • Issuer (Root CA)
      • ICA Public Key
      • Validity period
      • Signature algorithm
    • The browser uses the Root CA’s public key to decrypt the signature and compare the result with the hash computed from the ICA certificate.
    • If they match: The browser trusts that the ICA is legitimate.

2. Using ICA’s Public Key to Validate Server Certificate

  • What happens:
    The browser uses the public key from the validated ICA certificate to check the server certificate’s signature.
  • What is decrypted/verified:
    • The ICA digitally signs a hash of the server certificate contents, which include:
      • Subject (example.com)
      • Issuer (ICA Authority)
      • Server’s Public Key
      • Validity period
      • Signature algorithm
    • The browser decrypts the signature using the ICA’s public key and compares it with the computed hash from the server certificate.
    • If they match: The server certificate is verified as genuine.

3. Using Server’s Public Key to Securely Exchange Session Key

  • What happens:
    During the TLS handshake, the browser generates a random session key for symmetric encryption (faster than asymmetric encryption).
    This session key will be used to encrypt all future communication between the client and server.
  • What is encrypted:
    • The browser encrypts the session key using the server’s public key from the verified server certificate.
    • Only the server can decrypt this using its private key.

Final Steps

  1. The server decrypts the session key using its private key.
  2. Both the browser and server now share the same session key.
  3. All further communication (login credentials, sensitive data) is encrypted using the session key (symmetric encryption).

Summary

  1. Root CA Public Key: Validates ICA certificate by checking its signature.
  2. ICA Public Key: Validates the server certificate by checking its signature.
  3. Server Public Key: Encrypts the session key during the TLS handshake.
  4. Symmetric Encryption: Secures all further data exchanges using the session key.

This layered approach ensures secure and trustworthy communication between browser and server.

Summary of Certificate Validation & Secure Communication Steps

1. Certificate Validation Process

The browser validates a server certificate in multiple stages:

Step 1: Validating the Intermediate CA (ICA) Certificate

  • Why: The server’s certificate is issued by an Intermediate CA, not directly by a trusted Root CA.
  • How:
    • The ICA certificate contains:
      • Subject (ICA Authority)
      • Issuer (Root CA)
      • ICA Public Key
      • Signature created by Root CA
    • The browser:
      • Retrieves the Root CA’s public key from its trusted list (pre-installed).
      • Decrypts the signature on the ICA certificate and compares it with a computed hash of its contents.
      • If they match, the ICA certificate is verified as legitimate.

Step 2: Validating the Server Certificate

  • Why: The browser must ensure that the server is trusted and authentic.
  • How:
    • The server certificate contains:
      • Subject (example.com)
      • Issuer (ICA Authority)
      • Server’s Public Key
      • Signature created by ICA
    • The browser:
      • Uses the ICA’s public key to decrypt the signature on the server certificate.
      • Compares it with a hash of the server certificate contents.
      • If they match, the server certificate is verified.

2. Establishing a Secure Communication Channel

Once the certificate is validated, the browser and server establish a secure connection:

Step 1: Encrypting the Session Key

  • The browser generates a random session key for symmetric encryption (efficient for fast data transfer).
  • The browser encrypts the session key using the server’s public key from the verified server certificate.

Step 2: Secure Transmission of the Session Key

  • The encrypted session key is sent to the server.
  • The server decrypts it using its private key.

Step 3: Symmetric Encryption for Data Transmission

  • Both browser and server now share the same session key.
  • All subsequent data (e.g., login credentials) is encrypted using this session key, ensuring confidentiality and integrity.

Key Points Recap:

  1. Root CA Public Key: Validates the Intermediate CA certificate by verifying its signature.
  2. ICA Public Key: Validates the server certificate by verifying its signature.
  3. Server Public Key: Encrypts the session key during the TLS handshake.
  4. Symmetric Encryption: Secures further data transmission between browser and server.

This system ensures trust, authenticity, and data security in HTTPS connections.

You may also like...