3

I was checking out the SSL chain on onlineaccess.ncsecu.org because a network glitch made me paranoid. Both Firefox and IE on my computer have this chain:

onlineaccess.ncsecu.org
Serial number 6C:16:7D:5A:D0:A3:0B:06:D2:C1:DE:A4:7C:C4:A9:23
^
Symantec Class 3 Secure Server CA - G4
Serial number 51:3F:B9:74:38:70:B7:34:40:41:8D:30:93:06:99:FF
^
VeriSign Class 3 Public Primary Certification Authority - G5
Serial number 18:DA:D1:9E:26:7D:E8:BB:4A:21:58:CD:CC:6B:3B:4A

However, multiple SSL chain checker sites around the internet, e.g. https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp, say that the VeriSign G5 certificate at the end of that chain has a different serial number: 25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd. They all agree on the other two certificates in the chain.

So are there actually two different legitimate versions of the VeriSign certificate which can be used to sign the same child certificate?

Sam Skuce
  • 573
  • 1
  • 4
  • 7
  • Which cert has a different fingerprint? G5 or G4? G4 is an intermediate cert, G5 is a root cert. – Gerald Davis Jul 03 '15 at 15:59
  • @GeraldDavis, G5 is the one with the different serial. I updated the text to reflect this. – Sam Skuce Jul 03 '15 at 16:06
  • Then you may wish to update the title. The first cert in the trust chain is commonly called the root cert. I notice the tool doesn't call it that but if you say root cert (especially on this site) most people will immediately know what you are talking about. – Gerald Davis Jul 03 '15 at 16:42

2 Answers2

4

So are there actually two different legitimate versions of the VeriSign certificate which can be used to sign the same child certificate?

Signing is done by the public key in the certificate. Both certificates have the same public key, so both can be used to verify the signature. The difference is that 18:da:d1:9e:26:7d:... is issued by itself while 25:0c:e8:e0:30:61:2e:... is signed by C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority.

Such setup is common if one wants to introduce a new root CA, like when switching the quality of the public key, i.e. 1024 bit to 2048 bit. Since it takes some time to get this new CA trusted everywhere one first signs the new root CA by an existing trusted root CA so that browsers can verify the trust path. Once this new CA is established one can abandon the old root CA.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
3

As steffen points out there is a different between the public key and the cert fingerprint. The same public key can be reused in a new cert. A common example would be replacing a cert which is going to expire soon.

The sad thing is symantec's own tool and website is at best misleading and at worst downright confusing.

Symantec began having OSes and browsers use the newer G5 cert (ending 3b 4a) years ago. That is the reason why when you perform an analysis you get that chain. One would need a very old browser and/or OS to resolve the chain using the older G5 cert (ending f8 fd).

The chain that symantec's tool resolves isn't resolved. Meaning the last cert is not a root cert. The root cert that signed the older G5 cert (ending f8 fd) is no longer used which makes it doubly confusing. They show and incomplete chain and the older obsolete chain.

Simple version your site is fine, your browser is fine, your OS is fine. Symantec however can't be bothered to keep their own tool up to date.

Gerald Davis
  • 2,250
  • 16
  • 17