Once you set up a certificate tree, identity verification takes place during the client/server handshake, before transmission
begins and before the system authenticates each user by prompting for credentials (user name and password).
This is how digital certificates verify identity:
- A unique server certificate resides with its public and private keys in the User Key Store of each server (platform/station and Supervisor).
- When a client connects to a server, the server sends its certificate to the client.
- The client station validates the server certificate against a root CA certificate in its System or User Trust Store by matching keys, ensuring that the Subject of the root CA certificate is the same as the Issuer of a server certificate, and confirming other factors. A client browser does the same. Each browser has a trust store of
root CA certificates.
- If the server certificate is valid, the system establishes a trusted connection between the server and client, and encrypted
communication begins. If the certificate is not valid, the station or browser notifies the client and communication does not
begin.
- You may choose to approve a rejected certificate if you know that, although unsigned, it can be trusted.
NOTE: Always verify the issuer name on any certificate presented by the system as untrusted. Do not approve a certificate from an
entity that you do not recognize.