Previous Topic: What a Certificate ContainsNext Topic: Root and Server Certificates


What a Certificate Proves

A reader can validate the certificate signature by using the public key of the Certificate Authority (CA). If the decrypted signature matches the rest of the certificate, and the reader trusts the CA, this means the reader knows the following are true:

To be confident that the certificate is valid, the reader needs to trust the CA, and also needs to access the CA's public keys. In most cases the CA is a well known company and the program (and all popular web browsers) has copies of the CA's public keys, so the reader does not need to go online to check that the CA really did validate the certificate.

If the issuer is also the owner, the certificate is said to be self-signed, and trusting the issuer is more problematic.

To check that the program that sent the certificate is the certificate owner, the reader needs to use some other method. Usually the reader checks that the address it used to find the sender of the certificate is the same as the address that is in the certificate.