Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual page 805

Figure K-2 Authentication of a Client Certificate
An SSL-enabled client goes through these steps to authenticate a server's identity:
Is today's date within the validity period? The client checks the server
1.
certificate's validity period. If the current date and time are outside of that
range, the authentication process won't go any further. If the current date and
time are within the certificate's validity period, the client goes on to Step 2.
Is the issuing CA a trusted CA? Each SSL-enabled client maintains a list of
2.
trusted CA certificates, represented by the shaded area on the right side of
Figure K-3. This list determines which server certificates the client will accept.
If the distinguished name (DN) of the issuing CA matches the DN of a CA on
the client's list of trusted CAs, the answer to this question is yes, and the client
goes on to Step 3. If the issuing CA is not on the list, the server will not be
authenticated unless the client can verify a certificate chain ending in a CA that
is on the list.
Does the issuing CA's public key validate the issuer's digital signature? The
3.
client uses the public key from the CA's certificate (which it found in its list of
trusted CAs in step 2) to validate the CA's digital signature on the server
certificate being presented. If the information in the server certificate has
changed since it was signed by the CA or if the CA certificate's public key
The SSL Handshake
Appendix K Introduction to SSL 805