Detailed Explanation of HTTPS Certificate Verification Process

Detailed Explanation of HTTPS Certificate Verification Process

1. Knowledge Point Description
HTTPS certificate verification is the core step of the TLS/SSL handshake, used to ensure that the client communicates with a trusted server and prevent man-in-the-middle attacks. The verification process involves certificate chain validation, digital signature verification, validity period checks, and other steps, relying on the Public Key Infrastructure (PKI) system. Understanding this process is crucial for analyzing HTTPS security and troubleshooting certificate errors.

2. Step-by-Step Analysis of the Verification Process
Step 1: Server Sends the Certificate Chain

  • After the client initiates an HTTPS connection request, the server returns its digital certificate (typically containing the public key, server information, issuer, etc.) and intermediate certificates (if any).
  • Certificate chain structure: Server Certificate → Intermediate CA Certificate → Root CA Certificate (the root certificate is usually pre-installed in the client's trust store).

Step 2: Certificate Integrity Verification

  • The client checks the certificate's signature algorithm (e.g., SHA256-RSA), uses the public key of the higher-level certificate to decrypt the current certificate's signature, obtaining a hash value H1.
  • The client independently calculates the hash value H2 of the certificate content and compares H1 with H2. If they match, it proves the certificate has not been tampered with.

Step 3: Certificate Chain Trust Verification

  • Starting from the server certificate, the client verifies the signatures step by step up the chain until it finds a root CA certificate pre-installed in the trust store.
  • If any intermediate certificate is missing, it may trigger a certificate chain incomplete error, requiring the server to be configured with a complete certificate chain.

Step 4: Validity Period and Domain Name Check

  • Check the certificate's validity period (Not Before/Not After) to ensure the current time is within the valid range.
  • Compare the domain name in the certificate (Subject Alternative Names or Common Name) with the currently accessed domain name for consistency.

Step 5: Certificate Revocation Status Check

  • The client queries whether the certificate has been revoked by the CA through OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation List).
  • The OCSP response can be optimized by the server via OCSP Stapling, directly returning signed status information to reduce client query latency.

Step 6: Extension Field Verification

  • Check critical extension fields, such as whether Key Usage includes digital signature or key encipherment, and whether Basic Constraints indicate CA authority, etc.

3. Common Issues and Defensive Significance

  • Types of Certificate Errors: Domain name mismatch, expired certificate, unknown issuer, revoked certificate, etc., which can interrupt the connection.
  • Defensive Role: Prevents attackers from forging certificates to carry out man-in-the-middle attacks, ensuring the authenticity of the communicating party's identity.
  • Advanced Notes: In some scenarios (e.g., internal networks), a private CA might be used, requiring manual import of the root certificate into the trust store to avoid errors.

4. Practical Tool Verification Examples

  • Browser developer tools can be used to view certificate details. The command-line tool openssl s_client -connect example.com:443 can output the complete certificate chain.
  • Use Wireshark to analyze TLS handshake packets, observing the structure of messages such as Certificate and Certificate Verify.

Through the above steps, HTTPS certificate verification translates identity trust into a verifiable computational logic, forming the cornerstone of web security.