The interaction begins with the client making a request. The server then responds with a certificate (including public key) back to the client. The client then performs a series of checks:
As the result of this handshake, there is the generation of "session keys" which are used to create new encryption keys. After this point, both client and server use the same key (symmetric encryption).
Servers should send "intermediate" certificates that form part of the complete certificate chain. This is done typically by concatenating certificates into one file. The last certificate in this chain is the "root", which must be trusted by the client i.e. exist in the client's trusted certificate store.
Certificates can be cross-signed by multiple CAs to ensure redundancy, i.e. chains for one site can be different but still valid.
$ openssl x509 -inform pem -noout -textThis is useful on the os bundled certificates, or those presented from a server to ensure the chain is complete:
e.g.
$ awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /path/to/certificateCan get the certificates presented by the server using:
$ echo | openssl s_client -showcerts -servername <host> -connect <host>:<port> 2>/dev/null > cacert.pem$ strace curl https://srcdev.skatelescope.org |& grep open | grep cert