Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual page 787

In Figure J-7, the Engineering CA certificate contains the DN of the CA (that is,
USA CA), that issued that certificate. USA CA's DN is also the subject name of
the next certificate in the chain.
• Each certificate is signed with the private key of its issuer. The signature can be
verified with the public key in the issuer's certificate, which is the next
certificate in the chain.
In Figure J-7, the public key in the certificate for the USA CA can be used to
verify the USA CA's digital signature on the certificate for the Engineering CA.
Verifying a Certificate Chain
Certificate chain verification is the process of making sure a given certificate chain
is well-formed, valid, properly signed, and trustworthy. Netscape software uses
the following procedure for forming and verifying a certificate chain, starting with
the certificate being presented for authentication:
The certificate validity period is checked against the current time provided by
1.
the verifier's system clock.
The issuer's certificate is located. The source can be either the verifier's local
2.
certificate database (on that client or server) or the certificate chain provided by
the subject (for example, over an SSL connection).
The certificate signature is verified using the public key in the issuer's
3.
certificate.
If the issuer's certificate is trusted by the verifier in the verifier's certificate
4.
database, verification stops successfully here. Otherwise, the issuer's certificate
is checked to make sure it contains the appropriate subordinate CA indication
in the Netscape certificate type extension, and chain verification returns to step
1 to start again, but with this new certificate. Figure J-8 presents an example of
this process.
Appendix J Introduction to Public-Key Cryptography
Certificates and Authentication
787