How broswers verify and trust a certificate
by
marjavamitjava
·
February 5, 2025
Details on CA List and Public Keys in Browsers
- Pre-installed Trusted CA List:
- Browsers like Chrome, Firefox, Safari, and Edge come with a pre-installed list of trusted Certificate Authorities (CAs).
- These lists are managed by the browser developers or operating systems (e.g., macOS for Safari, Windows for Edge).
- Public Keys of CAs:
- Each CA in the list has an associated public key.
- This public key is used to verify the digital signature on the certificates issued by that CA.
- Where Are They Stored?
- Chrome/Edge: Use the OS-provided certificate store (Windows Certificate Store, Keychain on macOS).
- Firefox: Maintains its own CA list independent of the operating system.
- Safari: Relies on Keychain Access in macOS.
- How the Browser Uses Them:
- When a browser receives a server’s certificate, it:
- Checks the CA in the certificate.
- Retrieves the public key of that CA from its list.
- Uses this public key to verify the CA’s signature on the server’s certificate.
