2

Suppose I have my own website mydomain.example and I've got a certificate from a CA, e.g. Let's encrypt. What prevents me from issueing a new certificate for one my friends' website friend.example?

Domien
  • 121
  • 3

2 Answers2

4

In order for your certificate to be used to sign other certificates, this would have to be specified in the basic constraints field of your certificate. For any certificate issued by Let's Encrypt, or any other trusted root CA, this is not permitted. See https://stackoverflow.com/questions/21319841/signing-certificate-with-another-certificate-signed-by-ca/21322032#21322032 for more info.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Changed the wording to be crystal clear that it’s not permitted. Any issuer doing this would violate the trust of the entire internet, and would immediately have their certificates revoked. – John Deters Apr 11 '20 at 01:48
  • Your statement regarding "any other trusted root CA" is not correct. – mentallurg Apr 11 '20 at 01:51
  • @JohnDeters Thanks for your changes. I agree that these clarify the answer. – mti2935 Apr 11 '20 at 01:52
3

Technically you can of course issue certificates of any types. You can create a self-signed root certificate and you can consider yourself as a CA (Certification Authority). Then using this certificate you can issue any certificates you want. But nobody will trust your root certificate and thus any certificates you issued. Browsers of normal users will warn them in case some web sites uses certificate issued by you, or, depending on configuration, will refuse to open such web sites.

To become a CA trusted by others you should have a solid reputation and fulfill different other requirements.

When you applied for a certificate, you choose particular certificate type: domain identification, or S/MIME for signing emails, or for signing code, etc. In all these cases the issuer has not set in the certificate field basic constraints that you are permitted to issue certificates. Suppose you issued a certificate to your friend and signed it with your key. But when any normal browser establishes connection your friends web site, it will download its certificate and will check the whole chain of certificates upstream, all certificates must be valid. The browser will see that the certificate was issued by you, and that your certificate is not eligible for issuing certificates. Thus, certificate of your friend will be considered as not trusted, and browser will either warn the user or refuse loading the web site.

Can only root CA issue certificates? No. A few examples:

  • A certificate of www.google.com is issued by the company Google Trust Services, which is CA, but not a root CA. The current certificate to this company is issued by GlobalSign, which is a root CA.
  • A certificate of www.microsoft.com is issued by the company.. surprise: by Microsoft Corporation, which is CA, but not a root CA. And its certificate in turn is issued by the company Baltimore CyberTrust, which is a root CA.

Many other big companies have their own CAs. But is not so easy to become a CA.

mentallurg
  • 8,536
  • 4
  • 26
  • 41