Post-Enrollment Usage of Certificates

Once a requester obtains a digital certificate signed by a CA, they can install this certificate onto an endpoint, which becomes a trusted network entity (it is assumed that the third party possesses the CA’s public key in order to do this – the root CAs of leading CAs are installed on all major browsers).

As part of the standard TLS handshake process, any third party that interacts with the certificate owner will proceed to review the validity of the issued certificate by decrypting the digital signature provided by the CA.

The third party contrasts the decrypted hash function against the hash obtained by hashing the digital certificate. A match indicates integrity of the certificate. The communicating third party can then retrieve the public key from the digital certificate and proceed to establish a secure encrypted connection.