A small but growing number of sites rely on multiple SSL certificate authorities to authenticate users.
These sites use a single certificate authority to sign user-provided certificates, but many use multiple certificate authorities.
To prevent the use of multiple certificates, it is important to understand the difference between a local and a remote certificate.
The following sections describe the differences.1.
Local certificates The local certificate authority (CSA) is a trusted name that the browser uses to authorize certificate requests and to authenticating users.
A local certificate is typically the one that was signed by the browser, or by a trusted certificate authority.
A certificate authority is a trust name that an administrator or a third party has set up to sign certificates issued by a certificate authority other than the one in use.
For example, if you use a domain name that is not your own, you can use a CA certificate.
A CA certificate is not a valid certificate authority for the domain name.
If you use the same certificate authority as another site, the certificate issued by the domain is valid.
If the domain’s certificate authority fails to verify the certificate, then the domain will be trusted.
To obtain a valid CA certificate, the user must request a certificate from the site, either by clicking on a link in the domain, or through a certificate request dialog.
When you request a CA cert, the browser will ask for the certificate authority name.
A server that can verify a certificate can then verify the domain.
However, the server must be able to verify a valid SSL certificate.
If that server is not available, the site cannot use the certificate.
To verify a CA certificates, the browsers browser must first send a certificate to the CA, which then sends the certificate to a server.
The server then checks the certificate against a list of certificates issued and verified by the CA.
If it does not match the certificate from a trusted CA, it will reject the certificate and redirect the user to the site’s website.
This is how a local certificate works.2.
Remote certificates Remote certificates are certificates that have been authorized by a server that has access to the certificate on the server.
When the user visits the site or clicks on a site link, the web server responds with a request to the server to validate the certificate that is being requested.
The request is made by the server that is sending the request.
If a valid Certificate Authority certificate is returned, the page or the site will respond with a Certificate Status Code (CSV) indicating that the certificate has been issued.
The browser will then use the information returned by the SSL Certificate Status Codes to verify that the site is legitimate and authentic.
If SSL certificates have been issued, the website can use them to authentically sign user certificates.
If not, the sites certificate may be revoked.3.
The certificate authority certificate The certificate authorities certificates are issued in the form of a private key (or private key hash) that is embedded into the web site.
The website uses this private key to sign and verify a user certificate.
When a certificate is signed by a CA, the certificates are stored on the CA’s server.
However: The CA certificate must be valid.
A revoked certificate can be used to sign another CA certificate; and A user cannot use a revoked certificate to sign the certificate of another CA.
To determine if a certificate has already been issued by another CA, you must look at the certificate revocation list that is stored in the certificate authorities public key database (pkcs11).
For more information, see Certificate revocation lists.
When using the certificate issuance method, you have to be able sign and sign without the certificate being revoked.
You do this by verifying that the website’s certificate was signed using the CA certificate you requested.
For more details, see How to verify certificates.4.
When users sign with a certificate, they create an RSA private key, which is the private key that the user is required to generate before they can use the site.
RSA certificates are not issued by CAs and cannot be used by a website to sign SSL certificates.
A user’s RSA private keys are stored in a private directory called the CA private directory.
To create an SSL certificate, a user can sign with the CA public key.
The CA then generates the public key from the user’s private RSA private directory and stores it in the CA server’s private directory (CA private directory).
This private directory is where CAs private keys reside.
When someone signs with the private RSA public key, the CA creates the certificate for the user.
This certificate is then used to authenticated users.5.
If users use a certificate that has been revoked, the service will send a warning to the user that the CA revoked the certificate in order to protect the CA from a certificate revocation.
This warning is sent to the client in the user session and must be given at least 24 hours before the user can use or access the site again.
This information is sent as part of the certificate’s revocation information.
It can be disabled