The recipient of the certificate generates another digest by applying the same MD5 or SHA-1 hash algorithm to the certificate file, then uses the CA's public key to decrypt the digital signature. By comparing the decrypted digest with the digest just generated, the recipient is able to confirm the integrity of the CA's signature and, by extension, the integrity of the accompanying certificate. Figure 89 illustrates this process.
 |
Note: If the issuer of the end-entity (EE) certificate is not a root certificate, up to eight levels are verified (as explained in Understanding Public Key Infrastructure). Revocation status of each certificate in the verification chain is also verified. A certificate revocation status is considered “ good” when its serial number is not in the CRL, which satisfies the refresh requirement per CA profile. |
Figure 89: Digital Signature Verification
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |