Confirmed users, Administrators
5,526
edits
CA:FAQ: Difference between revisions
m
→Why does Mozilla include a default set of CA certificates?
| Line 48: | Line 48: | ||
In some cases Mozilla can get the CA certificate(s) from the same place and in the same way as it got the original certificate; for example, if a web server presents its own certificates to Mozilla then it could also present the needed CA certificate(s) as well, including the root CA certificate and any intermediate CA certificates. (Such a set of linked certificates is known as a "certificate chain".) | In some cases Mozilla can get the CA certificate(s) from the same place and in the same way as it got the original certificate; for example, if a web server presents its own certificates to Mozilla then it could also present the needed CA certificate(s) as well, including the root CA certificate and any intermediate CA certificates. (Such a set of linked certificates is known as a "certificate chain".) | ||
However it is also convenient for Mozilla to keep its own copies of certificates, including root CA certificates in particular. Among other things, Mozilla | However it is also convenient for Mozilla to keep its own copies of certificates, including root CA certificates in particular. Among other things, Mozilla can mark a given root CA certificate as being valid for verifying certain types of certificates, and as not being valid to verify other types of certificates. | ||
For example, a particular root CA may issue certificates only for web servers, not for email users or code developers; in the Mozilla certificate database this root CA's certificate could be marked as being valid only for verifying web server certificates. If Mozilla receives a email user certificate issued by this root CA (or by an intermediate CA under the root CA) it would then raise an error condition and alert the user; on the other hand web server certificates issued by the root CA (or an intermediate CA under it) would be verified by Mozilla without error and with no need for user intervention. | For example, a particular root CA may issue certificates only for web servers, not for email users or code developers; in the Mozilla certificate database this root CA's certificate could be marked as being valid only for verifying web server certificates. If Mozilla receives a email user certificate issued by this root CA (or by an intermediate CA under the root CA) it would then raise an error condition and alert the user; on the other hand web server certificates issued by the root CA (or an intermediate CA under it) would be verified by Mozilla without error and with no need for user intervention. | ||