11.2.4.1. Verifying the validity of certificates

To decide whether a given certificate is valid or not, the followings have to be checked:

  • It was signed by a trusted CA.

    Note

    If the certificate of the CA signing the given certificate was signed by a trusted CA (or by another CA lower in the CA chain), the certificate can be trusted. Sometimes this CA chain can consist of several levels.

  • It is not out-of-date.

  • It has not been revoked (that is, it does not appear on the up-to-date CRL).

  • The purpose of the certificate is appropriate, that is, it is used for the issued intention.

Note

It is possible to submit CSRs to more than one CA (and have them signed) using the same public key. However, it is considered to be highly unethical, likely resulting in the revocation of all of the certificates involved.