Browser verification of Web site digital certificate process (HTTPS protocol)

about the browser to verify the Web site digital certificate process the information on the web is generally not very clear. After consulting a lot of information finally to find out this part.

Certificates issued to the site under the CA is a certificate chain, that is, a layer of certificates, starting from the root certificate, to subordinate CAs, a layer, the last layer is the site certificate.

After the browser receives the certificate sent by the server, it needs to verify its authenticity. The signature of the certificate is generated by the signature algorithm and the private key of the superior CA , not in many articles simply by the CA private key. The browser needs to use the public key of the higher CA to decrypt the signature and compare it with the resulting fingerprint, so the question is, where does the public key of the parent CA come from?

The answer is that this public key comes from within the clear text of the certificate chain's parent CA at that level. A single X509v3 certificate consists of the following sections:

The X.509v3 certificate consists of three parts: Tbscertificate (to be signed certificate), the certificate to be signed. Signaturealgorithm, Signature Algorithm. SignatureValue, signature value.

The Tbscertificate also contains 10 items, which are transmitted in plaintext during the HTTPS handshake: Version number, edition. Serial number, serial numbers. Signature algorithm ID, Signature algorithm ID. Issuer Name, Publisher. Validity period, effective time. Subject name, certificate principal. Subject Public Key Info, the certificate principal key information, contains the public key algorithm and the public key value. Issuer unique Identifier (optional), distributor unique ID. Subject unique Identifier (optional), subject unique ID. Extensions (optional), extended.

A certificate chain consists of a layer of multiple certificates, in addition to the lowest level of the Web site certificate of the public key is to the user encrypted message, the other layer certificate in the public key is used to decrypt the underlying certificate fingerprint signature. The top-level root certificate is self-signed , which is issued to itself, so its public key is not only used to decrypt the underlying signature, but also to decrypt its own signature.

Verify that the certificate is true and that the task is complete, then how to verify the certificate is reliable. In a word, as long as the root certificate is reliable, the entire certificate chain is reliable, and the root certificate is reliable to see if the root certificate is in the operating system or browser built in the trusted root certificate, in the words trusted.