14

I'm having a friendly debate with a co-worker as to the meaning of "self-signed" when it comes to PKI. We have an internal root and subordinate CA in our organization. We import the cert chain on internal clients to allow for the trust of certificates issued from our internal/private CA.

My colleague believes that the definition of a self-signed certificate is one where there's no publicly trusted/commercial certificate authority involved. I, however, understand a self-signed certificate to be one that's created by the host that it resides on and has no further link to any chain, private or public.

I've searched Google and found both answers being touted as correct. I'm not great at comprehending RFC's, which is probably what I need to do to really get to the root of this argument. Rather, can someone more knowledgeable than myself help to settle this disagreement?

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    If possible please back up your answer with the relevant RFC due to there being so much misinformation on both sides. – Keith Madaras Mar 13 '20 at 01:06
  • 1
    Related: [Why are SSL/TLS certificates self-signed if they have no real signature/CA?](https://stackoverflow.com/questions/871388/why-are-ssl-tls-certificates-self-signed-if-they-have-no-real-signature-ca) – sleske Mar 13 '20 at 09:52

2 Answers2

21

RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

The end of section 3.2 states:

This specification covers two classes of certificates: CA certificates and end entity certificates. CA certificates may be further divided into three classes: cross-certificates, self-issued certificates, and self-signed certificates.

  • Cross-certificates are CA certificates in which the issuer and subject are different entities. Cross-certificates describe a trust relationship between the two CAs.
  • Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations.
  • Self-signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths.

End entity certificates are issued to subjects that are not authorized to issue certificates.

phbits
  • 1,002
  • 2
  • 5
  • 12
  • 2
    So, if I'm reading this correctly, self-signed certificates always sit at the top of the certificate chain and self-issued certificates come from a self-signed CA. Does that sum it up? Told you I'm bad at reading RFC's :) – Keith Madaras Mar 13 '20 at 18:34
  • 1
    @KeithMadaras It means you are right. RFC says nothing about the presence of a "public CA" or whatever it only defines self-signed regarding which key can validate it. All public CAs start out with a self-signed certificate. They typically use this certificate to sign some intermediate certificate which we would could "self-issued" since it's issued by the same entity that created the original certificate. These intermediate certificates are then used to issue certificates to "end users" (aka end entity certificates) or to create some trust with other CAs (cross-certificates) – Bakuriu Mar 14 '20 at 15:17
0

In the past I ran into a similar discussion with one of my friend and thus comment:

You and your friend/colleague both are correct. However, your colleague is closer to the definition of Self Signed Certificate (SSC) and whereas you have looked at one aspect of it.

self-signed certificate to be one that's created by the host that it resides on and has no further link to any chain, private or public.

It is partly true since given a case in your organization one of the developers created a test/internal application and thus shared the Self Signed Certificate (SSC) [public key], created for the same, so even you could add it into your root/trusted CA list and browse that application and thus making it a private chain.

You could also refer to https://aboutssl.org/what-is-self-sign-certificate/ which has multiple answers in parts that could help you better.

Technically Self Sign Certificate means the certificate is signed by the same individual whose identity it certifies. Here, in signing procedure the private key is signed by the owner of the certificate itself (not by trusted Certificate Authority). Self-sign certificate comes up with free of cost which encourages internet users to secure website with free SSL Certificate. If a website which has limited pages and less number of users, then self-sign SSL certificate is a good option.

gronostaj
  • 1,290
  • 2
  • 10
  • 17
Jiger Jain
  • 48
  • 8