I have a few questions about digital certificates:
1) As far as I understand, clients are able to verify server digital certificates, because clients contain a set of well known CA self-signed certificates on their machine. Is that enough for the whole verification to be complete or are there some additional remote calls that need to be made by the client to the actual CA (wherever it lives)? I read some things about certificate revocation (CRL and OCSP) which seemed to indicate that remote calls are necessary at some point or another.
2) When validating a server certificate what happens exactly on client-side? I've always explained it to myself that based on the CA in the server certificate the client finds the corresponding CA self-signed certificate on it's machine and uses the public key from it to decrypt the signature in the server certificate (so no remote calls here). The decrypted result is as far as I understand a digest of the server's public key. So the client hashes the public key in the server certificate to match it to the digest from the last step. If both match, then everything is ok and the client and server can exchange a symmetric key for further communication. Is that correct?
1) Technically, no, there are no remote calls required. Of course, it's a little more complex than that - if you're using OCSP, then yes, you will need to reach an OCSP server and it must be a remote call. If you use CRLs, you will need to make remote calls to fetch the CRL from the CRL Distribution Point [CDP] in the cert; but if the CRL is fetched and cached locally, and is not expired, then the cert checks are all local.
2) You are correct, the client-side 'chains to a trusted root'; there are more checks performed including key usage, date range checks and, as you noted, verifying the signatures of the certs. The final check is to make sure the root is available at the client.
I hope that helps.