06-05-2017 04:54 PM
i would like to check my understanding in PKI:
1-if we have 2 HOSTS (Host A and Host B) under same CA, what will happen is :
each Host will receive a local certificate and CA-certificate from the CA.
Host A will receive the local certificate from Host B and will use the CA-Certificate to validate it ???????
2-If we have 2 Host under different CAs (CA-sales , CA-marketing) but of-course the 2 CAs under a common root-CA what will happend is :
-Host A will receive a local certificate and CA-certificate from CA-sales and also receive a CA-certificate from the Root-CA
-Host B will receive a local certificate and CA-certificate from CA-marketing and also receive a CA-certificate from the root-CA
-Host A will send the local certificate and the CA-Certificate(CA-sales) to Host B
-Host B will use the Root CA-Certificate to validate the received CA-Certificate(CA-sales) and then will use the CA-Certificate(sales) to Validate the received local certifcate of Host A
06-05-2017 06:24 PM
1) 'Host A will receive the local certificate from Host B and will use the CA-Certificate to validate it' --- In simple terms you are right.
2) At no point of time Host sends the CA certificate to other host generally. It only sends the local certificate. The receiver checks whether he has a trust chain built.
e.g. Only if ''CA-Sales - CA-Root'' trust chain is built on Host A and ''CA-Marketing - CA Root'' chain is built on Host B (This generally happens when you load host and CA certificates on device) they will be able to authenticate each other based on their local certificates.
06-05-2017 06:42 PM
That's soo confusing
When i was studying it was said that you may receive a certificate chain from a remote peer containing EE certificate and intermediate CA-certificates and you will use the common CA certificate to validate the top CA-certificate and then you will use this intermediate CA certificate to validate the next and so on til validate the end entity certificate
06-05-2017 07:00 PM
i have been reading the same thing while studying ( understanding PKI )
please Mr. Rushi help me correct my understanding
06-05-2017 07:34 PM
Your understanding is not entirely wrong. In simple words:-
* Recipient must maintain the certificate chain if it needs to secure authenticate peer when their Sub-CAs are different.
* Sender can send certificate chain (e.g. Local Cert + Sub Cert + Root Cert) but sender's chain will not be used generally to
authenticate Sender unless receiver has trust relations with Sub Cert + Root Cert. This chain may be used to gather
information like CRL but not authenticating sender.
So just because sender is sending Sub CA + Root CA, I (receiver) will not use those certificates for validating sender unless receiver also trusts Sub CA + Root CA (It has a chain).
06-11-2017 06:47 PM
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]