How does a Browser verify an SSL Certificate?

Rashmi Bhardwaj | Blog,Security

The verification of the SSL certificate at the browser level is one of the pivotal steps to guarantee a safe stay to the visitor over a particular web page. That is why, it is one of the steps that are taken seriously by the browsers and executed with due diligence.


The basic function of verification is commenced at the trust anchor. It is also termed as the root certificate and the task of verification laboriously validate each information and critical extension marked in the certificate. In case the procedure ends with the final certificate in the path free of errors,  then the concerned path is registered and accepted as valid. If that results in errors, then the path is registered as invalid.

Basic Steps of SSL Certificate Verification

The following are the nine key steps that the browsers ought to verify regardless of the extension. Let us find out the sequence of steps in the points below-


1) The Verification of the Integrity of the Certificate

The signature marked on the certificate is verified with the help of general public key cryptography. In case the signature turns out to be invalid, the certificate is claimed to be modified after issuance and hence rejected.

2) The Verification of the Validity of the Certificate

The step would enable the browser to check the validity period of the certificate. Any SSL certificate carrying an expired date and time would be subject to rejection.

3) The Verification of the Revocation Status of the Certificate

There are certain circumstances which may result in the revocation of a certificate prior to the natural date and time of expiry. Some of the prevalent examples include an alteration in the name of the subject, a questionable compromise of the private key, etc. The revocation status verification is done on the basis of the information provided by Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP).

4) The Verification of the Issuer by the Browser

The issuance of the certificate is generally associated with two entities. One is the issuer, the entity possessing the signing key and the other being, the Subject, the owner of the public key authenticated by the certificate. Here, it is the responsibility of the browser to check the fact that the certificate’s issuer field is as identical as the subject field of the previous certificate within the path.

5) The Verification of the Name Constraints by the Browser

It is feasible for a privately-owned (yet publicly-trusted) intermediate CA carrying prudent name constraints to come up with an enterprise offering fine-grained control towards certificate issuance and management. Certificates can be restrained to a particular domain or even domain tree (i.e. featuring subdomains) for an enterprise’s domain name. The name constraints are generally used for the intermediate CA certificates bought from a publicly-trusted Certificate Authority in order to restrict the intermediate CA from releasing perfectly valid certificates to function within third-party domains (for e.g.

6) The Verification of the Policy Constraints by the Browser

An SSL certificate is a legal document in release. That is the reason why due to legal and operational reasons, a certificate can sanction restrictions on which policies it can be a subject to. If there are critical policy constraints within a certificate, then the browser ought to validate them prior to proceeding.

7) The Verification of Basic Constraints (i.e. Path Length) by the Browser

It is a fact that X.509 v3 format permits issuers to specify the maximum path length that a certificate can enforce. That offers control over how much extent each certificate could be placed within a certification path.

8) The Verification of Key Usage by the Browser

The “Key Usage” extension is pertinent in terms of the objective of the key in the certificate. Few of the usage examples include signatures, encipherment, certificate signing, etc. The certificates that violate the key usage constraints are rejected by the browsers. For instance, finding a server certificate with a key that is only meant for CRL signing.

9) The Verification of all the Remaining Extensions

After processing all the extensions highlighted above, the browsers proceed with the verification of remaining extensions. If the browser reaches down to the leaf certificate without error, the path is accepted as a valid one.


The above points deliver step by step insight of the verification process conducted by the browsers. It is an undeniable fact that trust plays a decisive role in keeping a person safe online. That is the reason why it is necessary for you to exercise your right to inquire about CAs certificate policy as much as possible.

Also refer Types of SSL Certificates


Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart