The client uses the certificate to authenticate the identity the certificate claims to
represent. An SSL-enabled client goes through these steps to authenticate a
server's identity:
- Is today's date within the valid period?
- Is the issuing certificate authority (CA) a trusted one? Each SSL-enabled
client maintains a list of trusted CA certificates. This list determines which
server certificates the client accepts. Validation continues if the
distinguished name (DN) of the issuing CA matches the DN of a certificate
authority on the client's list of trusted certificate authorities.
- Does the issuing certificate authority's public key validate the issuer's
digital signature?
- Does the domain name in the server's certificate match the domain name of the
server itself?
- The server is authenticated. The client proceeds with the SSL handshake. If the
client does not get to step 5 for any reason, the server that is identified by
the certificate cannot be authenticated, and the user is warned of the problem
and informed that an encrypted and authenticated connection cannot be
established.
Similar to cookie-based tokens, certificate authentication is also outside the scope
of pure JavaScript which has no access to certificates, and similarly falls under
the control of the user agent, in this case again the browser control, and its
interface directly with the user.