0

I am new to SSL certificates and trying to wrap my head around this concept. As per my understanding when a valid certificate is signed (by one of the many official CAs) it can also sign a certificate that is part of the same SSL trust chain - after all every certificate has a public-private key pair. Lets consider the following example:

A certificate is issued for example.com and sing by and intermediate certificate:

root cert -> intermediate cert -> example.com cert

Now a browser can verify that example.com has a valid certificate by following the certificate chain up until the root cert. What happens if the example.com decides to sign (using its own private key) a certificate for another entity untrusted.com? Now we have the following certificate chain:

root cert -> intermediate cert -> example.com cert -> untrusted.com

Lets say a client tries to establish a secure connection with untrusted.com. The browser will validate the untrusted.com's certificate by using example.com's public key. Then it will verify that example.com's certificate is also valid by using intermediate's public key ... and this will go all the way down to the valid root certificate. Is there a rule that prevents long certificate chains or am I missing something?

Thanks in advance!

dimitar.d
  • 101
  • 2
  • `example.com cert` is not a CA, so a browser won't use it to trust `untrusted.com`. – forest Mar 19 '22 at 00:50
  • 2
    Whether or not a certificate can be used to sign another certificate is defined by the *basic constraints* field of the certificate. See https://security.stackexchange.com/questions/249347/what-differentiates-a-ca-cert-from-a-server-cert for more info. – mti2935 Mar 19 '22 at 01:18
  • 1
    Does this answer your question? [Understanding SSL certificate signing](https://security.stackexchange.com/questions/38949/understanding-ssl-certificate-signing) – David Z Mar 19 '22 at 02:03
  • @DavidZ yes, it does answer my question perfectly! Thank you! – dimitar.d Mar 19 '22 at 11:25

0 Answers0