| Explanation & Hint:
When a client inspects a server certificate, the three things it validates are:
- The subject matches the URL that is being visited. The client checks that the common name (CN) or subject alternative name (SAN) on the certificate matches the domain of the URL to which it is connecting. This ensures that the certificate was issued for the site the user is actually visiting.
- The current time is within the certificate’s validity date. Certificates are only valid for a specified period. The client verifies that the current date and time fall within the “not before” and “not after” validity dates on the certificate.
- The signature of the CA that is in the certificate is valid. The client checks that the certificate has been signed by a trusted Certificate Authority (CA). This involves verifying the CA’s signature on the certificate using the CA’s public key.
The other options listed do not directly relate to the validation process of a server certificate by a client:
- The website being in the browser’s cache does not relate to certificate validation.
- A root DNS server providing the IP address for the URL is part of the DNS lookup process, not certificate validation.
- Whether the client already has a session key for the URL is irrelevant to the initial server certificate validation process. The session key is established after the server’s identity is verified and a secure connection is negotiated.
|