The certificate is signed, and that signature itself is plenty of proof which the certificate is legitimate as the client can be sure, by his own, and without having contacting the issuer's server, that that certificate is authentic. That is The fantastic thing about asymmetric encryption. Require a certificate? SSL.com http://eruda-company90112.theideasblog.com/338483/the-smart-trick-of-safety-major-site-that-no-one-is-discussing