For Server validation using a trusted CA, will the ca-public key that was used to sign the server certificate be provided back to the server?

Question

I was working on a sample TLS client/server program to perform certificate validation.

For a self signed certificate validation, these are the steps i followed.

@server side:

1. Generated a server key file serverkey.key
2. Generated a CSR certificate servercert.csr from the key file.
3. Digitally signed(using openssl x509 utility) the servercert.csr using a generated rootCA.key and rootCA.cert. server certificate file servercert.cert is generated.
4. Loaded the certificate file(servercert.cert) and key file(serverkey.key) using SSL_CTX_use_certificate_file and SSL_CTX_use_PrivateKey openssl apis.

@client side:

1. Loaded the server ca-file --> rootCA.cert (which was manually copied to the client) using the SSL_CTX_load_verify_locations api.
2. Using the SSL_get_verify_result() api validated the certificate that server sends in the Certificate message.

The question that i have is that if i use a trusted CA(like godaddy) to sign a server CSR certificate, will the CA be providing its public key file (something similar to rootCA.cert) as well which was used for signing ? By which i can load the same to the trusted list at client side using SSL_CTX_load_verify_locations api.

My intention is to keep the code unchanged regardless of being a self signed certificate or a valid CA provided certificate.

Answer 1

When (any) x509 certificate is generated, these things happen:

1. Private key is generated
2. Public key (associated with the private key mentioned above) is embedded in the new certificate (becomes an integral part of it)
3. The new certificate is signed using private key of the issuer (read: CA)

In order to verify the certificate integrity (to check if nobody tampered with it) - you need to verify the signature (created using issuer's private key - see 3)). To be able to do it you need to obtain (somehow) the issuer's public key. This key is embedded in the issuer's certificate (see 2)). Usually the trusted CAs' certificates are stored in so called trusted certificate store. In case of OpenSSL you specify this "store" by using SSL_CTX_load_verify_locations function (and a few other simmilar functions - consult OpenSSL documentation).

To summarize: In your case the location pointed by SSL_CTX_load_verify_locations should contain your CA's certificate(s) - all of them - the whole certificate chain up to the self-signed root certificate. You can obtain all of the certificates in the chain from your CA (in your case GoDaddy).

I hope that helps. If I can clarify anything more please ask.