Any discussion of SSL configuration refers to the term "trusted root" a great deal. What is a trusted root, and what is its significance to SSL?
Most security models for computer-based transactions rely on a central "authority" or mechanism that can be checked against to verify identity and access rights. Lotus Domino and Notes products are a perfect example of this: every Domino server and client is programmed to use the Domino security model, which uses unique user and server ID's that have been certified, or approved, by certifiers that can verify the information that they contain. By way of example, whenever a user ID is presented to a server for access, that server first checks to make sure that the information it contains has been certified by a certifier ID that lies within that server's hierarchical ID structure (an organization or organizational unit, such as Server1/OrgUnit/Org), or that the server has a cross certificate for the certifier. If one of those two criteria is met, then the information is assumed to be valid, and access proceeds.
SSL utilizes this same model: a certificate is presented, it is checked for authenticity, and then access rights are granted according to the user information. Certificates are used for this process, and those certificates, just like a user ID file, are certified in order to work. The key divergence between this model and the Notes model lies in precisely who does the certifying, and how that certification is verified. This is where trusted roots are used.
Whenever a server or client SSL certificate is first issued, it is completely useless. While all the information about the server or client is contained within the file, there is no "stamp" from anything that can verify its
contents. In the Notes world, the certifier ID would be the file to certify the file and make it usable. On the Internet, however, there is no central file or authority to do this. Instead, several independent companies, known as certificate authorities, offer their services to take newly created server and client certificates and certify them using their own information. Once a certificate has been through this process, it may be presented to a Web browser or server for authentication.
Unfortunately, due to the lack of a central certification authority, there is no "built-in" way for a server or browser to recognize that a certificate authority's information is valid. The SSL application checking the information must have information provided by the various CA's to perform a test and make sure that the certificate was not forged. In order to do this, CA's make their public encryption keys available as a special file that can be downloaded into an SSL-enabled application to perform the test. Once this is done, then the SSL application can read and use certificates certified by that CA. Once this is done, that CA is known as a trusted root.
Luckily for Internet users, all commercial browsers ship with a large number of certificate authorities predefined as trusted roots. Also, Domino's Certificate Administration Database (certsrv.nsf), which controls SSL functionality for a Domino server, has a list of predefined trusted roots. Users of the browsers, and administrators of Domino servers, can add new trusted roots at will. This accommodates changes to individual CA formats, in addition to permitting new CA's (including internally used ones, such as Domino's Certificate Authority database) to be added. The Domino Administrator Help includes a table of the trusted roots in a topic entitled "Default Domino SSL trusted roots."