Hi,
I'm not sure you're clear on what certificates, signing and encryption are.
Roughly speaking, an X.509 certificate is the combination of a public
key and some information (subject distinguished name, date from/to,
other attributes) that has been signed using a private key usually
corresponding to another certificate.
The signer (CA) asserts authority on the validity of the information in
this certificate by signing it, but the certificate itself is not
enciphered and it's meant to be public.
The certificate of the signer (corresponding to its private key) may be
an intermediate CA or a root CA certificate. In the latter case, it's a
self-signed certificate (which means that it's been signed with its own
private key).
Why would you trust such a CA certificate? That's a "leap of faith".
Browsers and operating systems come with a bundle of CA certificates
they trust by default (Verisign, Thawte, ...), but you could have your
own PKI and set your own within your organisation.
As Ben pointed out in another message on this thread, the default set of
trusted CA certificates in the JVM is in a file called "cacerts". It's
however up to you to make sure you want to trust the CA certificates it
contains. Similarly IE, Firefox, OSX Keychain come with their set of
trusted CAs. The only reasons you'd trust them are:
- you trust the copy of the software you've obtained is genuine, and
- you trust the company/organisation that produced that software to
have made the right choices, because it has bundled the CA certificates
it wanted you to have.
Best wishes,
Bruno.
Mohammed Al-Adawi wrote:
Hi
Given
X = Public key and some data;
Trusted Certificate is X which is digitally signed by CA private key.
Digitally signed means hashing X and then encrypt it with CA private key.
if that is true CA public key must be some where and NOT encrypted so
you can decrypt certificate,
You can say that I have an emotional problem coming from the fact: "NO
ONE said that CA public key is there available", also no one said where
it is stored!! keystore, truststore, or it is not encrypted nor hashed.
Can you solve my emotional problem??
Thanks