Following on from part 1, which covered the formative CRL and OCSP approaches, this post explores the revocation approaches that have introduced a return to the use of CRLs — browser vendors distri...

Certificate revocation has always been opaque to me — from a WebPKI perspective, browser behaviour has varied and has not made revocation checking a reliable feature of the trust model. This post e...

Having worked through certificates in other posts, I’ve accepted that certificate signatures work — without looking at how they are generated and validated. This post explores RSA certificate sign...

A question came up recently: why not just use a public CA signed certificate when mTLS runs between two separate parties/organisations? This post explores the question, though mTLS itself may not ...

This post covers the webPKI model of a client authenticating a service — background context for a later post on mTLS. Questions to explore This post works through the following questions, with ex...

When inspecting x509 certificates, it’s not always obvious which attributes denote the purpose of a certificate — whether root, intermediate, or end-entity. Questions to explore This post works t...