-1

When I send a request a known site lik facebook, Google,... on https protocol, the certificates are appearing on browser via pedlock.

  1. How the web site (facebook,google,..) certificate comes to my browser?
  2. How my browser knows the certificate is valid? is asking the Certificate Authority company?
  3. What means my computers trusted certificates (on Windows certmgr.msc)?
barteloma
  • 6,403
  • 14
  • 79
  • 173

1 Answers1

1

1. How the web site (facebook,google,..) certificate comes t y browser?

When your browser requests a website using the HTTPS protocol the transfer will start with a SSL/TLS handshake. During this handshake the server will submit the website certificate to your browser.

2. How my browser knows the certificate is valid? is asking the Certificate Authority company?

The website certificate is commonly provided by a certificate authority (CA). The CA has signed the website certificate with its own certificate - after it has verified the websites identity. Every browser has some certificates from trusted CAs pre-installed. These certificates are used to check if the submited website certificated is properly signed by the CA.

In addition the browser may use the Online Certificate Status Protocol (OSCP) to check if the website is still valid.

3. What meansmy computers trusted certificates (on Windows certmgr.msc)?

I guess this is a different topic. The CA certificates used for HTTPS connections are part of the browser (IE, FF, etc.) and no part of the operating system.

Additional notes

The way the browser displays a trusted HTTPS connection depends on the browser and of the type of the used certificate.

If you are interested in some details how the certificates are distributed, you may doa research to the topic of "Public-key infrastructure (PKI)"

Florian
  • 66
  • 3
  • I understand this: As an site administrator I am creating a certificate request that include my organisation info. And I am sending this request to Certificate Authory. Then Certificate Authory sends me a certificate file to install my server. After I install this certificate a user sends a request to my server over https. The user browser how knows my server certificate is valid? is checking CA, or certificate date, or my organisation info? – barteloma Dec 15 '13 at 16:13
  • @bookmarker: The user browser uses its own pre-installed CA certificates to check if the certificate you installed on your server is valid. i.e. if you get an certificate file from the CA startssl and install this file on your server - then your browser uses a pre-installed certificate from startssl to verify your certificate. evry browser has a set of pre-installed certificates that are used to check if it can trust a HTTPS connection – Florian Dec 15 '13 at 16:56
  • Do you mean, I created a certificate from Verisign or symentec. And My organization name is SOMEORG. I installed my ceritificate to my server. And client computers have pre installed Verisign and symentec. Client computers does not verify my organisation info, it looks Verisign CA info. is this true? – barteloma Dec 15 '13 at 18:54
  • Yes! Verisign as CA verifies that you are really from the organization SOMEORG. If they checked your identity they provide you the file with the certificate. This certificate includes the organization name. The client browser only checks that the certificate is provided by Verisign. Since Verisign is pre-installed within the browser the browser trusts Verisign as CA. The browser trusts that Verisign has checked that you are part of SOMEORG (as mentioned within your certificate) and believes that you are member of the organization because you have got the certificate from Verisign. – Florian Dec 15 '13 at 19:09