Implementation Guide › Changing Communication Encryption Methods › SSL, Authentication, and Certificates › What a Certificate Proves

What a Certificate Proves

A reader can validate the certificate signature by using the public key of the Certificate Authority (CA). If the decrypted signature matches the rest of the certificate, and the reader trusts the CA, this means the reader knows the following are true:

• That when the reader encrypts data using the public key, only the owner of the private key will be able to decrypt and read that data.
• That the owner of the certificate private key is the subject given in the certificate.

To be confident that the certificate is valid, the reader needs to trust the CA, and also needs to access the CA's public keys. In most cases the CA is a well known company and the program (and all popular web browsers) has copies of the CA's public keys, so the reader does not need to go online to check that the CA really did validate the certificate.

If the issuer is also the owner, the certificate is said to be self-signed, and trusting the issuer is more problematic.

To check that the program that sent the certificate is the certificate owner, the reader needs to use some other method. Usually the reader checks that the address it used to find the sender of the certificate is the same as the address that is in the certificate.