Clients and servers
exchange and validate each other’s digital certificates. All
of the CA certificates that are needed to validate a server certificate
compose a trust chain. All CA certificates in a trust chain have to
be available for server certificate validation.
The following provides
some details of the validation process that occurs between clients
and servers.
-
-
The client connects to a
TLS-enabled server.
-
The TLS-enabled server sends its certificate to the client along with all the intermediate
CA certificates. The server certificate files are provided in an accessible directory.
SAS uses the SSLCERTLOC, SSLPVTKEYLOC, and SSLPVTKEYPASS options to locate the server
certificate. A PKCS12 formatted file that contains both the public and private certificates
in one file can also be used with the SSLPKCS12LOC and SSLPKCS12PASS options.
-
The client verifies
the server’s certificate against the Certificate Authority
(CA) list. The client has to know about all of the CAs in the server’s
certificate chain in order to validate the server certificate.
The CA certificate files
are provided in either the file pointed to by SSLCALISTLOC= or on
UNIX in an accessible directory that is pointed to by the SSL_CERT_DIR
or SSLCACERTDIR environment variables.
-
The server can also
validate the client’s certificates. Refer to the previous steps.