0

I know that I can set up a local certification authority for a local network. I can issue certificates for all the devices in my network, and as long as they trust me, they can use such certificates to authenticate each other. External devices, instead, do not trust me, and so they cannot accept the certificates provided by my internal devices.

My question is

if my local certification authority would be provided with a certificate issued by an internationally trusted CA, external devices would be able to reconstruct the certificate chain and so, in the end, accept the certificates I issued as valid?

ssnape
  • 11
  • 2

2 Answers2

1

If my local certification authority would be provided with a certificate issued by an internationally trusted CA, external devices would be able to reconstruct the certificate chain and so, in the end, accept the certificates I issued as valid?

Yes. This would turn you into an intermediate CA (provided the required key usages have been set), which generally should be trusted with all the responsibility that comes with that task.

Note that this basically turns you into a (nearly) fully-featured CA and you really don't want that. Besides that, there are companies that sell you your own PKI (presumably for automated server setup).

SEJPM
  • 9,500
  • 5
  • 35
  • 66
  • So the only problems you see are related to the responsibilities I should take on? – ssnape Mar 22 '16 at 15:28
  • 1
    @ssnape, yes, getting the processes right is the hardest part about being a CA, technically it will work granted a trusted CA allowed you to issue certificates. – SEJPM Mar 22 '16 at 15:34
0

Yes, if an internationally trusted CA were to issue a certificate for your local CA, then everyone would trust every certificate issued by your local CA. You could then issue a certificate for any website in the world - Google, banking websited, whatever - and have the entire world trust your certificate. And this is why no internationally trusted CA will give your local CA a certificate that allows it to sign further certificates.

Jenny D
  • 1,197
  • 9
  • 18
  • What does that mean? Once a CA certifies that I am the owner of a certain public key, how can the CA prevent me to use that key to sign whatever I want? – ssnape Mar 22 '16 at 15:15
  • @ssnape, they can't. If the CA didn't allow you to issue certificates by not setting the required key usage, the signatures won't be recognized as valid. – SEJPM Mar 22 '16 at 15:21
  • So there is a field in x.509 certificates indicating if the owner of the key can issue other certificates or not? Could you please tell me which one? – ssnape Mar 22 '16 at 15:32
  • @ssnape https://tools.ietf.org/html/rfc5280#section-4.2.1.9 – SEJPM Mar 22 '16 at 15:35
  • and to get the right certificate is just a matter of price, I think...or not? – ssnape Mar 22 '16 at 15:41
  • To get a certificate that can be used to sign anything and be trusted by everyone? No, not a matter of price, – Jenny D Mar 23 '16 at 06:15