8 Public key infrastructure and X.509 digital certificates: Know who you’re talking to
This chapter covers
- Inspecting X.509 digital certificates for key fields that developers need to know
- Verifying X.509 certificates to decide whether a certificate is trustworthy
- Understanding common reasons why certificate validation fails
In chapter 7, we explored how public key cryptography addresses the challenge of securely sharing a secret by using a key pair: a public key and a private key. The private key must remain confidential and securely stored, but the public key can be freely distributed without special protection.
Now let’s imagine that we need to establish a secure connection between a client and a server at ACME, Inc. At first glance, this might sound straightforward, but we have important details to consider. When the client and server set up their connection, for example, they exchange public keys. This exchange happens before encryption is in place, so it takes place over an unsecured channel.
You might think “Isn’t that fine? After all, they’re called public keys; anyone can have them!” That’s true. Public keys are designed to be openly shared. The critical question, though, isn’t whether you can receive a public key but whose public key you’re getting.