1

If I have a self-signed CA certificate in my truststore, and I am sent a chain of certificates where the root CA is missing, is this a problem and if so why? Say that the last certificate in the chain is called S and is signed by CA.

If the issuer for S is the same as the subject and issuer for the CA-cert in my truststore, and the public key from the truststore document can be used to verify the signature in S, would this be equivalent to including the self-signed CA cert in the chain?

More: I can imagine the CA having the same public key for two different private keys (but I don't see why they'd do that purposely). This would mean that some fields, in the self-signed cert with the private key that encrypted S's hash, could be different from the fields in our truststore cert, but the same public key could be used for both. If that is the case, couldn't the entity that sent me the chain just include my truststore certificate at the top, in order to deceive me? So I don't see why including a root certificate in the chain would make a difference in terms of trustworthiness, in that case either.

A_Weierstrass
  • 13
  • 3
  • 1
    Sending the root certificate as one of the certificates in the chain sent from the server to the client is optional. See https://security.stackexchange.com/questions/65332/ssl-root-certificate-optional for more info. – mti2935 Mar 15 '22 at 14:15
  • WRT, 'CA having the same public key for two different private keys', this is impossible with RSA and ECC. See https://crypto.stackexchange.com/questions/24125/multiple-private-keys-for-single-public-key for more info. – mti2935 Mar 15 '22 at 15:58
  • @mti2935 In the case of RSA, this is not totally true; for every public key there can be more than one private key; See here [More than one private key for RSA](https://crypto.stackexchange.com/q/87583/18298). In short this is Lambda vs Phi. – kelalaka Mar 15 '22 at 22:27

1 Answers1

1

You're right that sending the root CA is pointless. Either it's redundant because the client already has it, or it'd be untrusted if the client didn't. There's no problem with not sending it. In fact, decent scanning tools like SSL Labs will issue a warning if you do send it.

Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35