数字证书：签名与验证？

Question

I am trying to understand the two main uses of digital certificates (such as SSL certs), which are signing and verification (I believe).

In the case of SSL between a client and a web server, my understanding of certificate verification is that the browser contacts the server at a URL using HTTPS. The server then presents the browser with its SSL certificate. The browser must then verify that the SSL certificate is valid and that it belongs to the same domain as the domain in the URL.

Again, in the case of SSL between a client and a web server, my understanding of certificate signing is that the client (browser) first verifies that the server's SSL cert is valid, and if it is, the browser places the cert in its own trust store (some local, embedded DB). Subsequent request to this domain will first check to see if the server's SSL cert is in the client's trust store, and if it is, then verification is no longer required.

Am I more or less correct here, or am I way off base?

Answer 1

You're pretty much correct about verification. I would add that the browser also tries to verify the cert against a CA (Certificate Authority) but this can be waived by the user.

Beautifully explained here How are ssl certificates verified?

Signing is a different thing. When an applicant (eg web server) wants a CA to sign a certificate for it, it creates a key pair, private key and public key, and then prepares a CSR (Certificate Signing Request) containing among other things, the previously created public key. Then the CA then creates a signed certificate (using its own private key), that can be verified by any entity that knows this CA's public key. Web browsers have a list of the most common CA's pre-installed.