Certificate Authentication Sequence of Events
Server certificate authentication uses the following sequence of events:
- The Secure Shell client initiates a connection.
- The host sends its certificate to the client.
- The client uses the CA root certificate to verify the validity of the server certificate.
Note: The client must already have a copy of the CA certificate in the trusted root store. (A single CA certificate can be used to authenticate multiple servers.)
- The client checks that the server information in the certificate matches the host being contacted.
- To confirm that the host holds the private key that corresponds to the public key in the certificate, the client sends a challenge (an arbitrary message) to the server and computes a based on this message text.
- The server creates a digital signature based on the challenge message — the server independently computes the message hash, and then encrypts the computed hash using its private key. Next, the server attaches this digital signature to the challenge and returns this signed message to the client.
- The client decrypts the signature using the server's public key and compares the hash with its own computed hash. If the values match, host authentication is complete.