Verify Security Certificate from AusCert

12
2014-04
  • portoalet

    I have my security digital certificate for https signed by AusCert.
    Given AusCert certificate and my security certificate, is there a tool to test whether it's a valid certificate or not (other than using web browser) ?

    • Answers
  • Josh K

    There are web based solutions, but your best bet is to use a web browser.


    • Related Question

    digital signature - Does a certificate authority (CA) have to be online constantly?
  • HappyDM

    Does a CA has to be online all the time in order for the whole system to work?

    For example, if I go to a secure webpage that uses a certificate signed by a CA, I receive a public key along with the content of the webpage. Then, when I send info back to the server, it is encrypted with the public key that I have been given, and finally decrypted via the info I sent with their private key and everything is fine.

    Is there a point in the procedure that I (the browser/application) must check through the internet with the CA to ensure that the certificate is real or the purported public key does really belong to the website? Or if I had trusted/approved the CA in the past, is no other check needed?

    Generally, does a CA has to be online all the time in order for the whole certificate/digital signature system to work?


    • Related Answers
  • BillThor

    The CA does not need to be online. However, the CA public certificate may point to a web server which has revocation lists. This should be online.

    Most implmenatations have a list of public CA certificates installed. Users can usually opt to trust a certificate even without the public CA certificate. The webserver will supply its public certificate if required. Depending on its configuratation, it may server one or more certificates in the chain to the CA's public certificates. This can include the CA's certificate.

    This mechanism can be used for other protocols based on TLS or the older SSL versions. Some other common protocols using TLS include LDAPS, STMPS, and IMAPS. It is common for servers of the base proocols to support StartTLS where the TLS is started on the normal unencrypted port.

    EDIT: Most CAs distribute the certificates by Email or WebSite. These need to be online. There is no need for the signing certificate to ever be on a system connected to the Internet. However, it is much easier to avoid the Sneaknet and put it on a system connected to the Internet. This allows faster signing turnaround with less manual intervention. As we have seen, it does allow the signing key to be stolen.

    In general, the key never needs to leave the system on which it is used. This applies all the way along the chain. What is important is to protect the key, the certificates must be publicly accessible to be useful. Putting keys on secure removable storage is an option but not without its own risks.

    Having a secure password helps but for Certificate Authorities who issue high volumes of certificates, the password may be accessible to a signing script. This makes it easier to get both the key and its password.

    Keeping the top level signing key offline and locked away in a vault is possible. A second level key can be used for signing certificates, and its certificate provided as a chain certificate. Recovering from loss of a second level key is easier than recovering from the loss of the primary signing key.