8 Public Key Infrastructure and X.509 Digital Certificates: know who you are talking to
This chapter covers
- Inspecting X.509 digital certificates for key fields that developers need to know
- Verifying X.509 certificates to decide if a certificate is trustworthy
- Common certificate validation failure reasons
In chapter 7, we explored how public key cryptography addresses the challenge of securely sharing a secret by using a key pair: a public key and a private key. The private key must remain confidential and securely stored, while the public key can be freely distributed without special protection.
Now, let’s imagine we need to establish a secure connection between a client and a server at Acme Inc. At first glance, this might sound straightforward, but there are important details to consider. For instance, when the client and server set up their connection, they exchange public keys. This exchange happens before encryption is in place—meaning it takes place over an unsecured channel.
You might wonder: Isn’t that fine? After all, they’re called public keys—anyone can have them! That’s true. Public keys are designed to be openly shared. However, the critical question is not whether you can receive a public key, but whose public key you are actually getting.