Viewing Server Certificate Path in Firefox 35

PKI Tutorials - Herong's Tutorial Examples - Version 2.04, by Dr. Herong Yang

PKI Tutorials - Herong's Tutorial Examples

∟Viewing Server Certificate Path in Firefox 35

This section provides a tutorial example on how to view certificate path when visiting a 'https' Web site in Firefox 35. The top certificate in a certificate path is the root CA certificate, which is trusted automatically.

When a browser validates a server certificate, it will try to build a certificate path - an ordered list of certificates that satisfy these conditions:

The first certificate must a CA (Certificate Authority) certificate that is trusted by the browser.
The subject of each certificate, except for the last, must be the issuer of the next certificate.
The last certificate is the server certificate to be validated

Here is what I did to see the certificate path for https://login.yahoo.com Web site on Firefox 35.

1. Visit https://login.yahoo.com with Firefox 35, and view the server certificate again.

2. Click the "Details" tab on the Certificate Viewer. A certificate path with 3 certificates shows up in the Certificate Hierarchy section:

VeriSign Class 3 Public Primary Certification Authority - G5
                                 - The root CA certificate
|- VeriSign Class 3 Secure Server CA - G3
                                 - The intermediate CA certificate
   |- *.login.yahoo.com          - The Web server certificate

3. Click on "VeriSign Class 3 Public Primary Certification Authority - G5" in the path. Then click on "Issuer" and other fields in the Certificate Fields section to see more about this root CA certificate:

Subject: VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: VeriSign Class 3 Public Primary Certification Authority - G5
Validity - Not Before: 11/7/2006 - Not After: 7/16/2036

4. Click on "VeriSign Class 3 Secure Server CA - G3" in the path. Then click on "Issuer" and other fields in the Certificate Fields section to see more about this intermediate CA certificate:

Subject: VeriSign Class 3 Secure Server CA - G3
Issuer: VeriSign Class 3 Public Primary Certification Authority - G5
Validity - Not Before: 2/7/2010 - Not After: 2/7/2020

5. Click on "*.login.yahoo.com" in the path. Then click on "Issuer" and other fields in the Certificate Fields section to see more about this HTTPS Web server certificate:

Subject: *.login.yahoo.com 
Issuer: VeriSign Class 3 Secure Server CA - G3
Validity - Not Before: 4/7/2014 - Not After: 4/9/2015

What do you think about this certificate path? Should we trust login.yahoo.com now? I think this is a valid certificate path and we should trust login.yahoo.com, because:

The root CA certificate "VeriSign Class 3 Public Primary Certification Authority - G5" is trusted because it was pre-installed in Firefox.
The intermediate CA certificate "VeriSign Class 3 Secure Server CA - G3" is trusted because it was issued by a trusted root CA.
The login.yahoo.com certificate "*.login.yahoo.com" is trusted because it was issued by a trusted intermediate CA.

The picture below shows an example of a certificate path: