Basic self-signed certificate questions

Question

A few basic questions around self-signed certificates

Question 1

Does a self-signed certificate has to have a CA? I realize that a "real" certificate must as it otherwise can be chain validated but what about self-signed?

Question 2

If a self-signed hasn't got a CA - should it still go in the trusted CA store to not cause chain validation errors when using it for test?

Question 3

Is there a way to see if a self-signed cert is signed by a CA - if it has a CA does that effect the question above? Do I then have to have the CA to trust it or can I still just put the actual cert in the CA store to create a secure SSL channel for example?

Answer 1

A certificate is signed by the CA which issues it. A self-signed certificate, by definition, is not issued by a CA (or is its own CA, if you want to view it like this).

A certificate may have CA power, i.e. be trusted to sign other certificates, or not, depending on whether it contains a Basic Constraints extension with the cA flag set to TRUE (cf the standard).

What happens is the following: when some application wants to validate a certificate (e.g. a Web browser who wants to do SSL with a server, and just obtained the server's certificate), it will want to build a certificate chain which begins with a "trust anchor" (one of the certificates in its "trusted root" certificate store) and ends with the certificate to validate (called "EE" as "end-entity"). Exact rules for a chain to be valid are intricate and full of details; for the purposes of this answer, let's limit ourselves to these necessary conditions:

• The chain must start with a trust anchor.
• Each certificate is signed by the previous certificate in the chain (i.e. the signature on each certificate is to be verified relatively to the public key as is stored in the previous certificate).
• Each certificate except the end-entity has a Basic Constraints extension with the cA flag set to TRUE.

So a self-signed but not CA certificate, when used as a trust anchor, will be accepted as valid as an end-entity certificate (i.e. in a chain reduced to that certificate exactly) but not otherwise. This is the normal case. When, as a browser user, you want to accept a given self-signed certificate as valid, you actually tell your browser that the self-signed certificate should become a trust anchor -- but you certainly do not want to trust that certificate for issuing other certificates with other names ! You want to trust it only for authenticating a specific site.

As usual, details may vary -- not all browsers react in the exact same ways. But the core concepts remain:

• A self-signed certificate lives outside of the CA world: it is not issued by a CA.
• A client (browser) uses trust anchors as the basis for what it trusts.
• A self-signed certificate for a Web server, usually, should be trusted (if at all) only for that server, i.e. added as a trust anchor, but not tagged as "good for issuing certificates".

When a chain is reduced to a single certificate, i.e. the end-entity is also the trust anchor, then this is known as direct trust: a specific certificate is trusted by being already known, exactly, instead of being trusted by virtue of being issued by a trusted CA.

Answer 2

1. No. A self-signed certificate is not signed by a CA - it is signed by itself. However, all CAs publish a self-signed certificate that is used to sign other certificates. A "trusted CA" is one that is included in your operating system or browser, or one that you explicitly choose to trust.

2. Depends on the self-signed cert. If you are using it as a CA and to sign other certificates in your organization, then I might add it to my Trusted CA store. If it's used only to authenticate a particular server, and is not used as a CA, I would include it in a different store, such as "trusted publishers". Even then, I would be careful to make sure the certificate is being stored and handled carefully - anyone who gets it can do whatever they want to your machines that trust it. I would never place a random certificate in my trusted CA store.

3. A self-signed certificate is found at the end a chain of trust - it says "I am my own parent." Validating the chain of certificates that signs an ordinary certificate means validating the signatures of each signer, all the way back until you find a self-signed certificate. At that point, the self-signed certificate needs to be in your trusted CA store.