When a browser or client connects to a secure server, the server sends its certificate to the client. It is up to the client to verify the server’s certificate using trusted certificates. Generally, these trusted certificates are issued by a globally trusted root or intermediate certificate authority, such as VeriSign, Inc.

Certificates are digitally signed using the private key of another certificate. It is possible to form long certificate chains before reaching the root certificate authority’s certificate, but these chains are rarely more than five certificates long. The root certificate authority’s certificate is self-signed. If the client (browser) can form the chain from the server’s certificate to some trusted root certificate, the server certificate is verified, and communication can proceed.

If you are writing a client program, you must collect these root and intermediate trusted certificates. This is a manual process because you must be sure you are getting authentic root and intermediate certificates.

If you are less concerned with security, you can get the certificates you need from Microsoft Windows 2000’s internal certificate store. This is a security risk because someone can tamper with the certificates on your machine before you export them. The Netscape Web browser and the Windows operating system have hundreds of trusted certificates for certificate authorities worldwide.