2

We have a proper signed server certificate and intermediate CA from a trusted certificate authority.

Is it true that we cannot use this certificate (so the intermediate CA) for creating our own client certificates?

As I read here: https://security.stackexchange.com/a/26084/57364

"which is why they will not give you sub-CA power for free"

So a certificate authority simply won't allow me to do this?

Does this mean the only way to create client certificates is to make my own CA.

Please correct me if I make some fundamental mistake here...

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
Wilt
  • 833
  • 1
  • 9
  • 13

2 Answers2

6

Your CA issued you an intermediate CA cert if:

  • they have provided you a certificate that has the CA extension set to TRUE (with or without a depth)
  • they have provided you a certificate that has suitable keyUsage extensions, that is keyCertSign and cRLSign (see https://superuser.com/questions/738612/ddg#738644)
  • you control/own the private key that matches the subjectPublicKey of the certificate

If that is the case, unless they have introduced other restrictions (such as NameConstraints - see https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10 and https://serverfault.com/questions/670725/is-it-possible-to-restrict-the-use-of-a-root-certificate-to-a-domain), you should be able to use the intermediate CA to issue client certs if you want to. There may be policy/contractual reasons why this may not be true.

I suspect such a certificate would be expensive, but I don't have any references I can point to.

That being said, it should be noted that for client certificates, there is no fundamental requirement for the CA issuing client certs to match the CA issuing the server certs. It is entirely possible to use an internal CA for your client certs, and an external one for e.g. your public facing webservers.

Community
  • 1
iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24
2

A trusted certificate is signed by a CA's private key. What makes it a CA is that it

a) has special markings that denote it's a CA (well, sort of), and
b) it's public key is stored in your trust store meaning your computer trusts it and it's children.

The certificate you have is intended for a specific purpose, and has it's own special markings that denote what it's used for. Client certificates also have their own markings, etc.

Now, you can use your private key to sign other certificates in the technical sense, but nobody will trust them because your certificate doesn't have the special markings that denote it's allowed to do that.

So yes, you do need your own CA in order to use client certificates the way you're wanting to use them. That said, every service that needs to verify one of those certificates would need a copy of the CA's public key in their trust store. Of course, if you did have the power to sign such certificates that were trusted, you would have an immense amount of power at your disposal because you could create trusted certificates for services that aren't rightfully yours.

Wilt
  • 833
  • 1
  • 9
  • 13
Steve
  • 15,155
  • 3
  • 37
  • 66