Obtaining Trusted Certificates to Verify Other Certificates
When a browser or client connects to a secure server, the server sends its certificate to the client. It is up to the client to verify the server’s certificate using trusted certificates. Generally, these trusted certificates are issued by a globally trusted root or intermediate certificate authority, such as VeriSign, Inc.
NOTE: You can create your own certificate authority for issuing “internal use” certificates. For more information, see the documentation that came with your cryptographic library.
Certificates are digitally signed using the private key of another certificate. It is possible to form long certificate chains before reaching the root certificate authority’s certificate, but these chains are rarely more than five certificates long. The root certificate authority’s certificate is self-signed. If the client (browser) can form the chain from the server’s certificate to some trusted root certificate, the server certificate is verified, and communication can proceed.
If you are writing a client program, you must collect these root and intermediate trusted certificates. This is a manual process because you must be sure you are getting authentic root and intermediate certificates.
1. Contact VeriSign, Inc., or any certificate authority and ask for:
The intermediate authority’s certificate
The root certificate authority certificate, which is used to sign the intermediate authority’s certificate
2. Convert these certificates into PEM format using the tools supplied by the cryptographic library and place them in a file.
3. Call RWSecureSocketContext::prepareToAuthenticate() or RWSecureSocketContext::loadVerifyLocations() with the name of the file containing your trusted certificates.
If you are less concerned with security, you can get the certificates you need from Microsoft Windows 2000’s internal certificate store. This is a security risk because someone can tamper with the certificates on your machine before you export them. The Netscape Web browser and the Windows operating system have hundreds of trusted certificates for certificate authorities worldwide.
NOTE: Rogue Wave Software cannot provide these certificates because it is a security risk to you, and because certificates have expiration dates.