Can Certificate be validated locally

Clash Royale CLAN TAG#URR8PPP

up vote
2
down vote

favorite

When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

In my PC/browser I have a list of trusted certificate authorities.

Do I send the certificate to the authority or I validate it locally (checking the certificate's signature using data stored within the certificate authority list)?

(note: if needed take the browser for the example TLS/SSL client)

tls certificates certificate-authority

share|improve this question

asked 3 hours ago

croraf

1165

add a comment | 

up vote
2
down vote

favorite

When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

In my PC/browser I have a list of trusted certificate authorities.

Do I send the certificate to the authority or I validate it locally (checking the certificate's signature using data stored within the certificate authority list)?

(note: if needed take the browser for the example TLS/SSL client)

tls certificates certificate-authority

share|improve this question

asked 3 hours ago

croraf

1165

add a comment | 

up vote
2
down vote

favorite

up vote
2
down vote

favorite

When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

In my PC/browser I have a list of trusted certificate authorities.

Do I send the certificate to the authority or I validate it locally (checking the certificate's signature using data stored within the certificate authority list)?

(note: if needed take the browser for the example TLS/SSL client)

tls certificates certificate-authority

share|improve this question

asked 3 hours ago

croraf

1165

When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

In my PC/browser I have a list of trusted certificate authorities.

Do I send the certificate to the authority or I validate it locally (checking the certificate's signature using data stored within the certificate authority list)?

(note: if needed take the browser for the example TLS/SSL client)

tls certificates certificate-authority

tls certificates certificate-authority

share|improve this question

asked 3 hours ago

croraf

1165

share|improve this question

asked 3 hours ago

croraf

1165

share|improve this question

share|improve this question

asked 3 hours ago

croraf

1165

asked 3 hours ago

croraf

1165

asked 3 hours ago

croraf

1165

1165

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
3
down vote

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

share|improve this answer

edited 2 hours ago

Οurous

1075

answered 2 hours ago

Crypt32

2,138511

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
  – Mike Ounsworth
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I mentioned that client contacts CA-managed OCSP/CRL servers.
  – Crypt32
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yup! Hence why it's a "+1 TL;DR", not a correction.
  – Mike Ounsworth
  2 hours ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

• Root CA (trusted as it is installed in the browser)
  
  
  • Intermediate A (trusted as it is signed by Root CA)
    
    
    • Intermediate B (trusted as it is signed by Intermediate A)
      
      
      • Site cert (trusted as it is signed by Intermediate B)
      
      
    
    
  
  

Does checking expiry require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

share|improve this answer

answered 2 hours ago

jrtapsell

2,805924

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196792%2fcan-certificate-be-validated-locally%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

share|improve this answer

edited 2 hours ago

Οurous

1075

answered 2 hours ago

Crypt32

2,138511

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
  – Mike Ounsworth
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I mentioned that client contacts CA-managed OCSP/CRL servers.
  – Crypt32
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yup! Hence why it's a "+1 TL;DR", not a correction.
  – Mike Ounsworth
  2 hours ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

share|improve this answer

edited 2 hours ago

Οurous

1075

answered 2 hours ago

Crypt32

2,138511

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
  – Mike Ounsworth
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I mentioned that client contacts CA-managed OCSP/CRL servers.
  – Crypt32
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yup! Hence why it's a "+1 TL;DR", not a correction.
  – Mike Ounsworth
  2 hours ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

up vote
3
down vote

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

share|improve this answer

edited 2 hours ago

Οurous

1075

answered 2 hours ago

Crypt32

2,138511

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

share|improve this answer

edited 2 hours ago

Οurous

1075

answered 2 hours ago

Crypt32

2,138511

share|improve this answer

share|improve this answer

edited 2 hours ago

Οurous

1075

edited 2 hours ago

Οurous

1075

edited 2 hours ago

Οurous

1075

1075

answered 2 hours ago

Crypt32

2,138511

answered 2 hours ago

Crypt32

2,138511

answered 2 hours ago

Crypt32

2,138511

2,138511

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
  – Mike Ounsworth
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I mentioned that client contacts CA-managed OCSP/CRL servers.
  – Crypt32
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yup! Hence why it's a "+1 TL;DR", not a correction.
  – Mike Ounsworth
  2 hours ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
  – Mike Ounsworth
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I mentioned that client contacts CA-managed OCSP/CRL servers.
  – Crypt32
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yup! Hence why it's a "+1 TL;DR", not a correction.
  – Mike Ounsworth
  2 hours ago
  

  
  
  
  

1

1

+1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
– Mike Ounsworth
2 hours ago

+1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
– Mike Ounsworth
2 hours ago

I mentioned that client contacts CA-managed OCSP/CRL servers.
– Crypt32
2 hours ago

I mentioned that client contacts CA-managed OCSP/CRL servers.
– Crypt32
2 hours ago

Yup! Hence why it's a "+1 TL;DR", not a correction.
– Mike Ounsworth
2 hours ago

Yup! Hence why it's a "+1 TL;DR", not a correction.
– Mike Ounsworth
2 hours ago

add a comment | 

up vote
1
down vote

Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

• Root CA (trusted as it is installed in the browser)
  
  
  • Intermediate A (trusted as it is signed by Root CA)
    
    
    • Intermediate B (trusted as it is signed by Intermediate A)
      
      
      • Site cert (trusted as it is signed by Intermediate B)
      
      
    
    
  
  

Does checking expiry require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

share|improve this answer

answered 2 hours ago

jrtapsell

2,805924

add a comment | 

up vote
1
down vote

Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

• Root CA (trusted as it is installed in the browser)
  
  
  • Intermediate A (trusted as it is signed by Root CA)
    
    
    • Intermediate B (trusted as it is signed by Intermediate A)
      
      
      • Site cert (trusted as it is signed by Intermediate B)
      
      
    
    
  
  

Does checking expiry require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

share|improve this answer

answered 2 hours ago

jrtapsell

2,805924

add a comment | 

up vote
1
down vote

up vote
1
down vote

Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

• Root CA (trusted as it is installed in the browser)
  
  
  • Intermediate A (trusted as it is signed by Root CA)
    
    
    • Intermediate B (trusted as it is signed by Intermediate A)
      
      
      • Site cert (trusted as it is signed by Intermediate B)
      
      
    
    
  
  

Does checking expiry require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

share|improve this answer

answered 2 hours ago

jrtapsell

2,805924

Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

• Root CA (trusted as it is installed in the browser)
  
  
  • Intermediate A (trusted as it is signed by Root CA)
    
    
    • Intermediate B (trusted as it is signed by Intermediate A)
      
      
      • Site cert (trusted as it is signed by Intermediate B)
      
      
    
    
  
  

Does checking expiry require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

share|improve this answer

answered 2 hours ago

jrtapsell

2,805924

share|improve this answer

share|improve this answer

answered 2 hours ago

jrtapsell

2,805924

answered 2 hours ago

jrtapsell

2,805924

answered 2 hours ago

jrtapsell

2,805924

2,805924

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196792%2fcan-certificate-be-validated-locally%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email