I used the below command to open a certificate of a website that I downloaded from Firefox. What part of the downloaded certificate indicates that it is a CA's certificate?
openssl x509 -in ca.crt -text -noout
Asked
Active
Viewed 224 times
0
-
I am sorry but your question as it is written does not make sense to me. Certificates are always issued by a CA. If you self-sign a certificate you are actually building a custom mini-CA. – Robert Jan 16 '21 at 21:21
2 Answers
1
What part of the downloaded certificate indicates that it is a CA's certificate?
A CA certificate can be used to issue other certificates by signing these. This signature is only accepted if the issuing certificate contains the extension CA:true:
X509v3 Basic Constraints: critical
CA:TRUE
If this extensions is not there or not TRUE it is either a very old type of certificate which does not support any extensions at all (X.509v1 not X.509v3) or it is a leaf certificates, i.e. the end of the trust chain which can not be used to issue new certificates.
Note that there are root CA and intermediate CA certificates. A root CA is usually self-signed, i.e. subject and issuer are the same. These root CA are placed as the pre-trusted ultimate trust anchor in the local trust store and used when building the trust chain to the leaf certificate. For more see SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
0
A CA root certificate will be self-signed, and can be detected by comparing the Subject and the Issuer for the cert:
$ openssl x509 -in ca.crt -text -noout | egrep "Subject:|Issuer:"
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
$
gowenfawr
- 71,975
- 17
- 161
- 198
-
Or just `openssl x509 -in file -issuer -subject -noout` without needing grep. But not all CA certs are root certs, and neither are all self-signed certs roots – dave_thompson_085 Jan 17 '21 at 02:12