A CA (Certificate Authority) is an issuer who receives the CSR and returns the SSL certificate with its digital signature.
CSR (Certificate Signing Request)
A CSR (Certificate Signing Request) is an encoded file that is given to a CA (Certificate Authority) when requesting an SSL certificate. It contains information that will be included in the certificate including the holder's name, serial number, expiration date and the public key. The CA returns the signed SSL certificate with its signature.
The JAVA Keystore is a password protected encrypted file repository containing the Key pairs, SSL certificates, and CA certificates.
A Key Pair consists of two uniquely related cryptographic keys; a Public Key and a Private Key (basically long random numbers).
The Public Key is what its name suggests - Public. It is made available to everyone through a publicly accessible repository or directory.
The Private Key must remain confidential to its respective owner. Because the key pair is mathematically related, whatever is encrypted with a Public Key can only be decrypted with its corresponding Private Key, and vice versa.
SSL (Secure Sockets Layer) is a standard security protocol for establishing an encrypted connection between a server and a client. Specifically, it encrypts the connection and the data transmitted along the connection. To achieve a secure connection, a service needs a Key Pair (Public Key and Private Key) and SSL Certificate.
SSL Certificate Authentication
An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates a service in network connections. To generate an SSL certificate, you must create a CSR (Certificate Signing Request) for your service Key Pairs and have it signed by your CA (Certificate Authority). An SSL certificate contains the following information:
Certificate holder's name
Certificate serial number and expiration date
A copy of the certificate holder's public key
Digital signature of the certificate issuing authority
There are two types of CAs (Certificate Authorities): Root CAs and Intermediate CAs.
A certificate chain is an ordered list of certificates, containing an SSL Certificate and Certificate Authority Certificates that enable the receiver to verify that the sender and all CAs are trustworthy using its trust store. The chain (or path) begins with the SSL certificate, and each certificate in the chain is signed by the entity identified by the next certificate in the chain. Any certificate that sits between the SSL Certificate and the Root CA Certificate (last certificate in the chain) is called an Intermediate CA Certificate. The Root CA is at the end of the chain and it signs the intermediate CA certificate, and the Intermediate CA signs the SSL certificate for the services.
For example, when a service receives its peer's SSL certificate chain that is trying to connect during the SSL handshake process, it verifies its peers SSL certificate in the chain using the Intermediate CA certificate next in the chain. It then verifies the Intermediate CA certificate by looking for the Root CA certificate that signed the intermediate CA certificate in its trust store. This verification completes the Certificate Chain. Connection is not established if the full chain verification fails.
A Trust Store contains the certificates of CAs (Certification Authorities) you trust. For example, when a service receives its peer's SSL certificate that is trying to connect during SSL handshake process, it verifies that its peer's SSL certificate's digital signature is signed by one of the trusted certificates in its trust store. If the certificate is not in the Trust Store, the SSL handshake fails and the connection is not established.