The Basics Of PKI Certificate Path Validation
The use of Public Key Infrastructure as a framework for secure transmission of data over the internet is standard practice. All SSL (Secure Sockets Layer) certificates use this method to encrypt data at a client and send it to a server where is decrypted through a paired set of keys. These keys are also linked to a unique certificate that identifies the applicant to the cert as being valid and trustworthy. The verification process is complete by a Certificate Authority.
There is also the use of PKI certificates to provide encryption and digital signatures for emails. This is also completed using the Public Key Infrastructure framework and the use of the paired public and private keys. Through this type of Public Key Cryptography, there is a universal ability to transmit and read data only between the desired sender and the intended recipient. This too requires a certificate that is vouched for as validated by a Certificate Authority.
This, in turn, builds in trustworthiness for those using the system. This trustworthiness is based on five different components of the framework. These include the ability to send the information with confidentiality, ensure the integrity of the information during the transmission, verify the authenticity of the sender and receiver as well as provide access control and non-repudiation of the sent data.
However, before the public and private keys can be used to encrypt and decrypt information through an SSL/TLS or PKI certificate, the certificate itself has to be validated. This can become somewhat complex depending on the specific pathway.
Comodo is the world's leading trust provider and, as such, our root certificates are embedded in the trust stores or certificate stores of 99.9% of devices and browsers in use today. Our root certificate is not directly accessed by a certificate on a server, browser or device for security reasons.
Instead, there are a series of intermediate certificates between the end user's certificate and the root certificate. This is known as the chain of certificates that will be used in the PKI certificate path validation process.
Before it is possible to complete PKI certificate path validation, the chain of the path of the certificates has to be installed, developed or constructed. Each certificate in the path is "vouching" for the validation of the certificate next in the line. This chaining can create one pathway or more than one pathway based on the specific types of restrictions or policies that are found within each certificate.
It is possible for certificates to be chained together and still not form a valid pathway. This can occur if the path is too short, if the certificate has a name mismatch or if there is a restriction on a certificate in the path that creates a test failure.
The Validation Process
The PKI certificate path validation process happens automatically through the system to ensure each certificate in the chain is valid. This means that the system verifies that the certificate is active and has not expired, that the certificate has integrity and has not been altered or tampered with and that the certificate has not been revoked by the CA.
Certificates can be revoked by a CA if there is a concern that the associated private key has been shared, breached or otherwise compromised. It is also possible that a cert may be erroneously provided by a CA through a fraudulent application. The rigorous validation standards used by CAs operating within the AICPA/CICA WebTrust for Certification Authorities Principles and Criteria make this very rare, but it has occurred.
The PKI certificate path validation relies on several different factors. This includes name chaining, where the certificates between the root certificate and the end certificate have to be issued from the named CA in the next immediate certificate. However, this is not the only issue that will be considered when completing the validation. Public keys are also used in the process through an Authority Key Identifier and a Subject Key Identifier.
As the certificate pathway is complex to develop, most of the CAs, including Comodo, provide the certificate bundle or all of the intermediate certs needed to complete the chain of trust. Once installed, this will ensure the validation will occur and the pathway will not fail.
If you have any questions about PKI certificate pathways or their validation, contact our team at Comodo. You can chat with us online at https://www.instantssl.com, just click on the live chat box from any page of the website. If you prefer to talk in person just call at +1 888 266 6361 and we will provide the information you need.