A Certificate Authority (CA) is a trusted entity that signs digital certificates, enabling users to verify their authenticity. Rather than storing every individual certificate for each server (which would be impractical due to the sheer volume and frequent renewals), users can store a limited set of root certificates to authenticate server certificates as needed.
A client must also verify that the hostname or IP address in the certificate matches the expected one. The [@boost:/doc/html/boost_asio/reference/ssl__host_name_verification.html `net::ssl::host_name_verification`] helper function object can perform this verification according to the rules described in RFC 6125:
A Server Certificate is a digital certificate that confirms a server's identity as the legitimate destination for a client. It contains a verifiable signature that ensures it was issued by a trusted certificate authority (CA).
When a server certificate is issued by an intermediate certificate authority, and the client lacks those intermediate certificates, the server should provide all the relevant certificates to the client. This allows the client to verify the final certificate in the chain against the root certificate.
A server can authenticate clients by requiring and verifying their certificates, preventing access for those without a valid certificate and private key. The server enforces this by modifying peer verification settings:
The Subject Alternative Name (SAN) is an extension in X.509 certificates that allows multiple domain names, subdomains, or IP addresses to be associated with a single SSL/TLS certificate. Before that it was the Common Name field in the certificate subject which could contain a single hostname.
recommends that if a certificate includes a SAN dNSName field, the client must ignore the subject CN field. Some modern browsers, such as Google Chrome, check only the SAN section in an SSL/TLS certificate and reject certificates that contain only the CN field.