CODEWITHSUNDEEP
sslssl-certificatecertificate-authority
Arian Faurtosh
Arian Faurtosh

Reputation: 18531

How can I trust a certificate authority

A certificate authority is supposed to verify a website is truly who they say they are, right. But certificate authorities sign there own certificates. So those certs are self signed. Is there a way I can find out if the self signed certificates they use on their website is reputable and trustable?

Upvotes: 2

Views: 1221

Answers (3)

ADJenks
ADJenks

Reputation: 3434

Is there a way [you] can find out if the self signed certificates they use on their website is reputable and trustable?

You can research the certificate authority yourself.

Some people may not trust a certificate authority, including Google. Google posted a list of authorities they did not trust back in May of 2016:

https://www.theregister.co.uk/2016/03/23/google_now_publishing_a_list_of_cas_it_doesnt_trust/

You either have to trust that the pre-installed certificates that came with your tools (web browser, etc) are trusted by the producers of those tools, or you can do some research and see if you really trust them yourself. It's basically like asking how you can trust anyone or anything. Can I trust you?

I trust the CA's that come installed with my browser because well, if I can't trust them then we all have a problem and that problem is bigger than me. I think it's good to ask questions like this and I wonder if anyone other than Google are questioning certificate authorities.

Upvotes: 0

amey91
amey91

Reputation: 572

You have to trust the CA who issued the certificate. Otherwise, we encounter the classic chicken-egg problem where there is no concrete boundary for trust and certainty.

Once you trust the CA issuer, you can check whether the certificate you have was actually issued by the concerned CA by writing the following on a command line:

$ openssl verify -verbose -CAfile cacert.pem  server.crt

Expected Output: server.crt: OK

If you get any other message, the certificate was not issued by that CA.

Visit https://kb.wisc.edu/middleware/page.php?id=4543 for more info

Upvotes: 2

Wagner Patriota
Wagner Patriota

Reputation: 5684

No, you just trust them! The most common way is to follow the herd... for example, extracting them from the browsers (http://curl.haxx.se/docs/caextract.html). We are always assuming the browsers are verifying it for us... as well as the operating systems...

Upvotes: 0

Related Questions