Reputation: 1224
how is client certificate downloaded and installed to client computer
I am asking this question because I think when we try to access some https enabled websites (e.g. gmail, facebook,our online banking), we do not download or install a client certificate.
Then how can we be sure that the information sent from our machines are properly encrypted?
Thanks.
Upvotes: 0
Views: 72
Answers (1)
Reputation: 14752
None of the examples you've listed utilize client certificates, except perhaps your online banking.
A client certificate is something you, as the client, send to the server in order to authenticate yourself. This is also known as "two-way TLS" or "mutual TLS" authentication.
VPN services are a particularly common example that utilize two-way TLS. On the web, it is usually only used for server-to-server authentication, as it is fairly hard to setup and maintain for use by actual humans (but some banks do provide it as an option).
What you actually have in mind is how do you know the server certificates for websites on the internet are valid, without manually importing them. And the answer is fairly simple - you already have them, pre-installed ... kinda.
Naturally, you don't actually have the certificates for every TLS-enabled website on the web (that would be impossible), but web browsers ship with a set of root CA certificates, which can verify them.
The way it works is called "chain of trust", and it goes something like this:
- There's a limited count of root certificate authorities (CAs), which virtually everybody trusts. All CAs have one or more self-signed, "root" certificates that come pre-installed with your web browser.
- The root CAs issue "intermediate" certificates either to themselves, or to "sub-CAs" (e.g. resellers, or otherwise less-trusted authorities in the business) by signing them with their root certificates.
- Intermediate CAs then sign and issue individual certificates for end clients (clients here refers to entities buying the certificates). These are called "leaf" certificates.
Technically, the intermediate CAs are optional and a leaf certificate can be directly signed by root CAs; and vice-versa - there can be more than one intermediate.
When you visit e.g. facebook.com, it will serve its leaf certificate bundled together with the intermediate that was used to sign it; your browser verifies that the served leaf was signed by the served intermediate cert, and then (since it already has all root certs pre-installed) it also verifies that the intermediate was signed by one of the root CAs, completing the chain of trust verification.
It's a complex and fragile structure, but it somehow works and it is the best we have today.
Upvotes: 1
Related Questions
- How does the client verify servers certificate in SSL?
- How exactly TLS/SSL works regarding client certificate?
- How does SSL encrypt data from server to client?
- Understanding how certificates work in a client-server interaction
- How do client certificates work?
- Sending Client certificates in web browser
- HTTPS client - certificate
- How client's SSL/TLS certificate is sent from a client (browser) to a server
- How to automatically install a client certificate in a web browser?
- where client certificate get stored?