Can Certificate be validated locally

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.



In my PC/browser I have a list of trusted certificate authorities.



Do I send the certificate to the authority or I validate it locally (checking the certificate's signature using data stored within the certificate authority list)?



(note: if needed take the browser for the example TLS/SSL client)










share|improve this question

























    up vote
    2
    down vote

    favorite












    When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.



    In my PC/browser I have a list of trusted certificate authorities.



    Do I send the certificate to the authority or I validate it locally (checking the certificate's signature using data stored within the certificate authority list)?



    (note: if needed take the browser for the example TLS/SSL client)










    share|improve this question























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.



      In my PC/browser I have a list of trusted certificate authorities.



      Do I send the certificate to the authority or I validate it locally (checking the certificate's signature using data stored within the certificate authority list)?



      (note: if needed take the browser for the example TLS/SSL client)










      share|improve this question













      When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.



      In my PC/browser I have a list of trusted certificate authorities.



      Do I send the certificate to the authority or I validate it locally (checking the certificate's signature using data stored within the certificate authority list)?



      (note: if needed take the browser for the example TLS/SSL client)







      tls certificates certificate-authority






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 3 hours ago









      croraf

      1165




      1165




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote













          Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.



          Signature and chain validations are always performed locally.






          share|improve this answer


















          • 1




            +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
            – Mike Ounsworth
            2 hours ago











          • I mentioned that client contacts CA-managed OCSP/CRL servers.
            – Crypt32
            2 hours ago










          • Yup! Hence why it's a "+1 TL;DR", not a correction.
            – Mike Ounsworth
            2 hours ago

















          up vote
          1
          down vote













          Does checking the certificate chain require connecting to external servers?



          Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:



          • Root CA (trusted as it is installed in the browser)

            • Intermediate A (trusted as it is signed by Root CA)

              • Intermediate B (trusted as it is signed by Intermediate A)

                • Site cert (trusted as it is signed by Intermediate B)




          Does checking expiry require connecting to external sources?



          Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.



          To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.



          What happens when the chain is incomplete?



          If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.






          share|improve this answer




















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "162"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196792%2fcan-certificate-be-validated-locally%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote













            Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.



            Signature and chain validations are always performed locally.






            share|improve this answer


















            • 1




              +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
              – Mike Ounsworth
              2 hours ago











            • I mentioned that client contacts CA-managed OCSP/CRL servers.
              – Crypt32
              2 hours ago










            • Yup! Hence why it's a "+1 TL;DR", not a correction.
              – Mike Ounsworth
              2 hours ago














            up vote
            3
            down vote













            Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.



            Signature and chain validations are always performed locally.






            share|improve this answer


















            • 1




              +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
              – Mike Ounsworth
              2 hours ago











            • I mentioned that client contacts CA-managed OCSP/CRL servers.
              – Crypt32
              2 hours ago










            • Yup! Hence why it's a "+1 TL;DR", not a correction.
              – Mike Ounsworth
              2 hours ago












            up vote
            3
            down vote










            up vote
            3
            down vote









            Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.



            Signature and chain validations are always performed locally.






            share|improve this answer














            Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.



            Signature and chain validations are always performed locally.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 2 hours ago









            Οurous

            1075




            1075










            answered 2 hours ago









            Crypt32

            2,138511




            2,138511







            • 1




              +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
              – Mike Ounsworth
              2 hours ago











            • I mentioned that client contacts CA-managed OCSP/CRL servers.
              – Crypt32
              2 hours ago










            • Yup! Hence why it's a "+1 TL;DR", not a correction.
              – Mike Ounsworth
              2 hours ago












            • 1




              +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
              – Mike Ounsworth
              2 hours ago











            • I mentioned that client contacts CA-managed OCSP/CRL servers.
              – Crypt32
              2 hours ago










            • Yup! Hence why it's a "+1 TL;DR", not a correction.
              – Mike Ounsworth
              2 hours ago







            1




            1




            +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
            – Mike Ounsworth
            2 hours ago





            +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
            – Mike Ounsworth
            2 hours ago













            I mentioned that client contacts CA-managed OCSP/CRL servers.
            – Crypt32
            2 hours ago




            I mentioned that client contacts CA-managed OCSP/CRL servers.
            – Crypt32
            2 hours ago












            Yup! Hence why it's a "+1 TL;DR", not a correction.
            – Mike Ounsworth
            2 hours ago




            Yup! Hence why it's a "+1 TL;DR", not a correction.
            – Mike Ounsworth
            2 hours ago












            up vote
            1
            down vote













            Does checking the certificate chain require connecting to external servers?



            Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:



            • Root CA (trusted as it is installed in the browser)

              • Intermediate A (trusted as it is signed by Root CA)

                • Intermediate B (trusted as it is signed by Intermediate A)

                  • Site cert (trusted as it is signed by Intermediate B)




            Does checking expiry require connecting to external sources?



            Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.



            To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.



            What happens when the chain is incomplete?



            If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.






            share|improve this answer
























              up vote
              1
              down vote













              Does checking the certificate chain require connecting to external servers?



              Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:



              • Root CA (trusted as it is installed in the browser)

                • Intermediate A (trusted as it is signed by Root CA)

                  • Intermediate B (trusted as it is signed by Intermediate A)

                    • Site cert (trusted as it is signed by Intermediate B)




              Does checking expiry require connecting to external sources?



              Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.



              To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.



              What happens when the chain is incomplete?



              If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.






              share|improve this answer






















                up vote
                1
                down vote










                up vote
                1
                down vote









                Does checking the certificate chain require connecting to external servers?



                Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:



                • Root CA (trusted as it is installed in the browser)

                  • Intermediate A (trusted as it is signed by Root CA)

                    • Intermediate B (trusted as it is signed by Intermediate A)

                      • Site cert (trusted as it is signed by Intermediate B)




                Does checking expiry require connecting to external sources?



                Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.



                To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.



                What happens when the chain is incomplete?



                If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.






                share|improve this answer












                Does checking the certificate chain require connecting to external servers?



                Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:



                • Root CA (trusted as it is installed in the browser)

                  • Intermediate A (trusted as it is signed by Root CA)

                    • Intermediate B (trusted as it is signed by Intermediate A)

                      • Site cert (trusted as it is signed by Intermediate B)




                Does checking expiry require connecting to external sources?



                Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.



                To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.



                What happens when the chain is incomplete?



                If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 2 hours ago









                jrtapsell

                2,805924




                2,805924



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196792%2fcan-certificate-be-validated-locally%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?