Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 29

1. The certificate validity period is checked against the current time provided by the verifier's system
clock.
2. The issuer's certificate is located. The source can be either the verifier's local certificate database
on that client or server or the certificate chain provided by the subject, as with an SSL connection.
3. The certificate signature is verified using the public key in the issuer's certificate.
4. If the issuer's certificate is trusted by the verifier in the verifier's certificate database, verification
stops successfully here. Otherwise, the issuer's certificate is checked to make sure it contains the
appropriate subordinate CA indication in the certificate type extension, and chain verification starts
over with this new certificate.
example of this process.
Figure 1.8. Verifying a Certificate Chain to the Root CA
Figure 1.8, "Verifying a Certificate Chain to the Root CA"
CA is included in the verifier's local database. If a certificate for one of the intermediate CAs, such as
Engineering CA, is found in the verifier's local database, verification stops with that certificate, as
Figure 1.9, "Verifying a Certificate Chain to an Intermediate
shown in
Figure 1.8, "Verifying a Certificate Chain to the Root CA"
How CA Certificates Establish Trust
illustrates what happens when only the root
CA".
presents an
19