How Clients and Servers Validate Certificates

Clients and servers exchange and validate each other’s digital certificates. All of the CA certificates that are needed to validate a server certificate compose a trust chain. All CA certificates in a trust chain have to be available for server certificate validation.
The following provides some details of the validation process that occurs between clients and servers.
  1. Digital certificates for the CA, the server, and the client (optional) are generated, and the CA trust list is created. Refer to Setting Up Digital Certificates Using OpenSSL .
  2. The client connects to a TLS-enabled server.
  3. The TLS-enabled server sends its certificate to the client along with all the intermediate CA certificates. The server certificate files are provided in an accessible directory. SAS uses the SSLCERTLOC, SSLPVTKEYLOC, and SSLPVTKEYPASS options to locate the server certificate. A PKCS12 formatted file that contains both the public and private certificates in one file can also be used with the SSLPKCS12LOC and SSLPKCS12PASS options.
    The system options are specified in the server's invocation command. For information, see SAS System Options for Encryption.
  4. The client verifies the server’s certificate against the Certificate Authority (CA) list. The client has to know about all of the CAs in the server’s certificate chain in order to validate the server certificate.
    The CA certificate files are provided in either the file pointed to by SSLCALISTLOC= or on UNIX in an accessible directory that is pointed to by the SSL_CERT_DIR or SSLCACERTDIR environment variables.
  5. The server can also validate the client’s certificates. Refer to the previous steps.
Copyright © SAS Institute Inc. All Rights Reserved.