SSL Certificate framework 101: How does the browser verify the validity of a given server certificate?
(I have a basic understanding of public/private key, hashing, digital signatures... I have been searching online & stack forums last couple days but cannot seem to find a satisfactory answer.)
Example:
I am surfing on open wifi and I browse to https://example.com for the 1st time. Server sends back its SSL certificate. My browser does its thing and verifies that the cert is signed by a CA that it trusts and all is well. I click around on the website. BUT!
Question: Can someone explain to me in a simple way how does my browser verify that the server certificate is legitimate? Yeah okay so on the certificate itself it says it is issued by, say "Verisign" but what is the actual cryptographic magic that happens behind the scene to validate that it isn't a bogus certificate? I have heard people explain "SSL certificates are verified using the signing CA's public key" but that doesn't make sense to me. I thought public key is to encrypt data, not to decrypt data.
So confused... appreciate it if someone could enlighten me.
