http://docs.oracle.com/cd/E19424-01/820-4811/gdzen/index.html
A颁发给B,B颁发给C,...
通常起码root证书要是受信任的
Verifying a Certificate Chain
Certificate chain verification is the process of making sure a given certificate chain is well-formed, valid, properly signed, and trustworthy. Directory Server software uses the following steps to form and verify a certificate chain, starting with the certificate being presented for authentication:
-
The certificate validity period is checked against the current time provided by the verifier’s system clock.
-
The issuer’s certificate is located. The source can be either the verifier’s local certificate database (on that client or server) or the certificate chain provided by the subject (for example, over an SSL connection).
-
The certificate signature is verified using the public key in the issuer certificate.
-
If the issuer’s certificate is trusted by the verifier in the verifier’s certificate database, verification stops successfully here. Otherwise, the issuer’s certificate is checked to make sure it contains the appropriate subordinate CA indication in the Directory Server certificate type extension, and chain verification returns to step 1 to start again, but with this new certificate.
1 有效
2 链
3 遇到第一个受信任的证书即终止
