Chong Peng schrieb:
thanks for the reply. so that can i say that "if a certificate is self signed, then it is a root certificate."
I'm not really sure if the definition of a root certificate also assumes that the CA basic constraint is also set, which would allow the certificate to be used as a CA certificate (that is, to sign other certificates)...
how do i know a certificate is self signed?
Compare the issuer field of the certificate with the subject field. If they are equal the certificate is self signed.
another question is that, for example, if i want to use a self-signed certificate as my server certificate, so that during the ssl handshake phase, this self-signed certificate is going to be sent from the server to the client. to verify this self-signed certificate, what the client is suppose to do? to be specific, do i have to independently distribute this self-signed certicate to the client before the ssl handshake?
As always, that depends... ;) I'll assume that your clients are standard browsers.Then you can realize this by installing your certificate into the client user's browser. This is typically done by distributing the certificate independently.
Another possibility is, tell your client users the fingerprint of your certificate (preferably using a secure channel like paper mail or telephone) and tell them to check the fingerprint when accessing your site the first time, since the browser will then complain about an unknown certificate. If the fingerprint is correct, browsers offer an option to trust this certificate in the future.
Obviously the second way is easier for you but more difficult for your client users, especially if they are not computer freaks...
Hope it helps, Ted ;)
smime.p7s
Description: S/MIME Cryptographic Signature