Windows validating certificate
The validation process performs the following checks on a certificate: digital signature, trust, time, revocation, and formatting.
A certificate is invalid if it doesn't pass one or more of these checks.
The AIA point itself is just a URL that points to a web server or ldap server that contains a copy of the issuing CA’s certificate (the CA’s public key).
In my example, the sub CA’s AIA was embedded in the Key Bank web server’s certificate by the sub CA as a way of stating “I issued this SSL certificate, signed with my private key, if you want to verify that this certificate is valid, go to this location to get a copy of my public key”.
The AIA point is a potential point of failure so let’s take a closer look at this process.
AIA – Just a Storage Location Each certificate is digitally signed by the CA that issued it with the exception of a ROOT CA that self-signs its own certificate.
Let's examine those checks and other aspects of the certificate-validation process.
By gaining an in-depth understanding of how certificate validation works, you'll be better prepared to recognize and solve certificate-validation problems when they occur.
There are a few ways your operating system will find certificates from the chain that it does not have local access to.If the CA Certificate the client is attempting to validate is not in the certificate store, the client will do one of the following: 1.Crypt32has a cache of CA certificates - not all of them which show up in the local computer certificate store - but which are dynamically retrieved as necessary.As part of the certificate chain validation process, the sub CA’s certificate must also be validated.In graphic number 2, the sub CA’s certificate was signed by the ROOT and the ROOT’s public key is needed to validate that signature.
Search for windows validating certificate:
In graphic number 1, the certificate chain validation process from my earlier example begins with the client validating the com web server SSL certificate.