Certificate Verification

When the connection between a client and server is first established, either or both can verify the identify of the other by means of the other side's (or peer's) digital certificate.

Verifying a certificate involves a certificate file, a key file, and one or more trusted CA certificate files against which the certificate can be verified. The certificate and the key may be combined into a single file. In the case of self-signed certificates, the certificate and the CA certificate are the same.

If there is more than one trusted CA certificate, this is known as a chain of trust. One of the CA certificates is used to verify the certificate, and the other CA certificates form the chain of trust that is used to verify the CA certificate itself. For the sake of simplicity, we refer to this chain of trust as the trusted CA certificate.

The side (or peer) whose certificate is being verified needs to have access to both the certificate and the key files. The side/peer that does the verification needs to have access to the trusted CA certificate.

Types of Verification

  • In server verification (also known as peer verification), the client verifies the certificate sent from the server against the certificate from the Certificate Authority, which is located in the client's local store of certificates.
  • In client verification, the server verifies the client. When negotiating the secure connection, the server asks the client to send a private key that uniquely identifies the client to the server.
  • In Peer Name verification, the peer name that the client specifies must match the common name (CN field) in the peer's certificate, or one of the names specified as a Subject Alternative Name (SAN). Depending on the application, the certificate at the client may not be required, or Peer Name verification may be ignored.

Note:  When configuring the TLS connector, you can choose to use server or client verification, and set the appropriate connector options. Peer name verification is enabled by default when server or client veriifcation is enabled. You can use other techniques to ensure the certificate can be trusted and defend against man-in-the-middle attacks. For more information, see Certificate Verification by the TLS Connector and Man-In-The-Middle Attacks.

When configuring SOAP callout, you can choose to disable host verification. For more information, see HTTPS Verification for Web Services.