Network Systems Programming Notes

Digital Certificates
Kevin Curran

Examining a digital certificate

In order to view the certificates associated with your browser carry out the following steps:

We will review the HTTPS server certificate which is also found by clicking the security lock icon on top left. Here we can view trusted root CA certificates that are pre-installed in Chrome.
1. Run Chrome, and go to the "Settings" after click the menu icon on top right corner. You see the settings page showing up.
2. Click the "Show advanced settings..." link at the bottom.
3. Click the "Manage certificates..." button in the HTTPS/SSL section. You see Certificates manager showing up.
4. Click the "Trusted Root Certificate Authorities" tab. A list of pre-installed trusted root CA certificates shows up.
5. Double-click "GTE CyberTrust Global Root" The "Certificate" dialog box shows up.

Now you know to view Chrome pre-installed certificates. If you click other tabs, you will see some other certificates in different stores:

Personal - My own certificates.
Other People - For other people's certificates.
Intermediate Certificate Authorities - For certificates from Intermediate CAs.
Trusted Root Certificate Authorities - For certificates from trusted root CAs.
Trusted Publishers - For certificates from servers that can be trusted without validation.
Authorities - For certificates from root CAs and intermediate CAs.
Others - For other certificates.

The picture below shows you the Certificates manager in Chrome displaying pre-installed certificates:

View Server Certificate Path

This section provides a tutorial example on how to view server certificate path when visiting a 'https' Web site in Chrome 40. The top certificate in a certificate path is the root CA certificate, which is trusted by browser settings. When a browser validates a server certificate, it will try to build a certificate path - an ordered list of certificates that satisfy these conditions:

The first certificate must a CA (Certificate Authority) certificate that is trusted by the browser.
The subject of each certificate, except for the last, must be the issuer of the next certificate.
The last certificate is the server certificate to be validated

Here is what to do to see the certificate path for https://login.yahoo.com Web site on Chrome:

1. Run Chrome and go to https://login.yahoo.com and wait for the log in page to be displayed.
2. Click the lock icon at the left side of the URL address area. The page security dialog box shows up.
3. Click the "Connection" tab. The connection security information is displayed.
4. Click the "Certificate information" link. The Certificate dialog box shows up.
5. Click the "Certificate Path" tab. A certificate path with 3 certificates shows up in the Certificate Path section:
VeriSign Class 3 Public Primary Certification Authority - G5 |- VeriSign Class 3 Secure Server CA - G3 |- *.login.yahoo.com
6. Click on "VeriSign Class 3 Public Primary Certification Authority - G5" in the path to see more information about the root CA certificate.
7. Click on "VeriSign Class 3 Secure Server CA - G3" in the path, to see more information about the intermediate CA certificate.

We can see this is a valid certificate path and we can trust *.login.yahoo.com, because:

The root CA certificate "VeriSign Class 3 Public Primary Certification Authority - G5" can be trusted because it was pre-installed in Chrome as a trusted certificate.
The intermediate CA certificate "VeriSign Class 3 Secure Server CA - G3" can be trusted because it was issued by a trusted root CA.
The *.login.yahoo.com certificate "*.login.yahoo.com" can be trusted because it was issued by a trusted intermediate CA.

The picture below shows you the certificate path view of a server certificate: Certificate Path View - Chrome.