2

Maybe a quick question. We have Palo Alto's that perform SSL Decryption using a sub CA certificate issued by our internal Root CA. This is working for our internal windows domain computers as the root CA and sub CA are pushed down to all of them via Group Policy. My question is we have a few Mac users that GPO doesn't work with, so they will manually need to add the certificates.

My question is, if the subCA installed on the Palo Alto (doing Dynamic SSL generation for sites), is also installed on these Macs. Why are the users still getting untrusted connection detected in their browser? It complains that "This certificate cannot be verified up to a trusted certification authority".

If I install the root CA certificate additionally, they no longer receive errors. Hooray!

However, my question is why do clients need the root CA if the sub CA(on Palo Alto) was the one that generated the explicit certificate(such as bankofamerica.com, etc).

Jim
  • 121
  • 1
  • 2
  • Firefox and Safari both do this? – StackzOfZtuff May 14 '15 at 15:36
  • 1
    Logically: if you don't have the root certificate, how do you check (and verify) if the subCA's certificate has been revoked? I think you have 2 choices: either provide the root cert, or pin the subCA's cert so that it's "unrevokable" (ie treated like a root), then you don't care. – Mike Ounsworth May 14 '15 at 15:38
  • Interesting, I thought by adding the subCA cert manually to Trusted CAs on the client would make it trust itself and any certs signed by the subCA. – Jim May 14 '15 at 18:24
  • @MikeOunsworth Shouldn't adding the subCA to the trusted list mean it *is* being treated like a root? The impression I got from the question is that the root and sub CAs were installed the same way, so is there something OS X does differently between the two? – cpast May 14 '15 at 19:04
  • 1
    @cpast I agree that it sounds like they're (trying) to pin the subCA cert so that it's treated like a root, but at the end of the day it's up to each app to actually treat it that way. It sounds like the Windows clients are playing ball, but the OS X ones aren't....Sounds like a question for the vendor of that OS X software. – Mike Ounsworth May 14 '15 at 19:11
  • 1
    The entire certificate chain must be verified not just the first level. – RoraΖ May 14 '15 at 23:34

1 Answers1

2

The reason is that most cert stores do only treat CA certificates signed by itself as root certificates. SubCA certificates will in most cases be added to a store called "intermediate certificate issuers". This store does not add any trust to the certificate, its only as a convience to the computer in case the server only sends its own cert, not the intermediate certificate that links to the root.

(some misconfigured server might send only cert (A) of (A)-(B)-(C). If the (C) is in root store, the computer wont be able to complete the chain and would complain on (A) being untrusted. Thus (B) is added to the intermediate store, which is not trusted, but adds the link between (A) and (C), making (A) trusted. The reason its unsafe to trust (B) automatically, is that (C) might get revoked and any linked certificate must revoke too)

Any certificates in the "intermediate certificate issuers" must chain up to a certificate inside the trusted root store to be trusted.

But in most certificate stores, it should be manually possible to inject a certificate in the root store even if it not signed by itself. Sometimes, you must check a checkbox that you want to install the cert manually, sometimes you need to manually wander in the stores and add the certificate using a button

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33