0

I have a certificate for my web service issued with Let's Encrypt.

Another service that communicates with my web service requires that my certificate must be signed with theirs, otherwise their client will abort the connection attempt.

Questions:

  1. is it possible for them to "add" their signature to my certificate? Would the answer be different with other issuer than Let's Encrypt?
  2. Does this process require me to share with them any secret values (like private key)?

Their certificate is self-signed and I suppose it is without Basic constraints (I think it matters here, but I am not an expert, hence the question...).

PS I understand the inconvenience that it will have to be done every 3 months, but nonetheless, question remains valid.

user2530062
  • 163
  • 6

1 Answers1

1

is it possible for them to "add" their signature to my certificate? Would the answer be different with other issuer than Let's Encrypt?

there is nothing you need to do on your end. Remote party must use their own CA to re-sign Let's Encrypt CA certificate. Not yours. This will result in a cross-certificate with:

  • Issuer matches remote party's CA name
  • Subject matches original LE name
  • Public key/SKI extension matches original LE public key/SKI extension
  • Signature validated by remote party's CA public key
  • Other fields/extensions may be copied over or overwritten by remote CA. For example, they may add Name Constraints extension to cross-certificate to filter valid LE certificates that matches Name Constraints extension configuration (otherwise, they will blindly accept all LE-issued certs).

A presence of this cross-certificate will allow client to produce two chains:

  • Main chain that uses normal LE path that ends up with globally trusted root.
  • Alternate chain that uses created cross-certificate that ends up with remote party's root CA

Client application must be able to handle multiple chains and have an appropriate logic to select the proper chain (with their root).

I understand the inconvenience that it will have to be done every 3 months

no. Cross-certificate validity can match LE CA validity (though, not exceed) which is way more than 3 months.

And again, all this must be done on remote party's end.

Crypt32
  • 5,750
  • 12
  • 24
  • On first thought, that is a sensible answer. I was not aware this could be the case so I have omitted the fact that the another service is a physical machine where certificates cannot be updated remotely by design and nothing can be updated on their end (they, as an organization, can use their root cert though). Also, I don't really understand how in this scenario they could trust me but not any other web service that has a certificate signed with Let's Encrypt. I understand they want to remain in control whose certificates they sign. Should I update the question or this is irrelevant? – user2530062 Jan 27 '21 at 19:24
  • `how in this scenario they could trust me but not any other web service that has a certificate signed with Let's Encrypt` -- via name constraints extension. Given your updates, you have to communicate with remote party and get to an agreement on how to solve this technical issue. If you change your certificate to their, then you loose other clients who don't trust their certs. – Crypt32 Jan 27 '21 at 19:31