0
I regularly find myself dealing with poor certificates within my intranet (or on temporary servers without a properly-signed cert). I haven't run across an approach that lets me save the certificate of a single website (including its CN) in a browser without also trusting it as a certifying authority for other websites. Is this conceptually possible, or is that outside the design of the PKI system?
Edit to clarify: Let's say I'm working on some local server, megaserver
. I access it via https://megaserver in the browser. It has a self-signed certificate. In order to safely access this server for the time being, I add its certificate to my CA store in my browser. Someone steals that certificate, creates a new certificate for https://www.google.com, signs it with the megaserver
certificates, and attacks me man-in-the-middle style. My browser accepts the Google certificate because it's signed by a trusted CA cert on my system. Is this hypothetical scenario possible?
It's core feature of the whole SSL ecosystem. If you trust some CA, then everything that were signed by this CA would be trusted by your browser. It the whole point of using CA as a trusted third party verification system. If temporary sites you talking about using self-signed certificates then their CN should match only that particular CN. This type of certificates can be trusted individually on site by site basis – Alex – 2017-02-09T16:43:38.097
@alex I added a clarification. Does the CN of the certificate limit its ability to sign other certificates? – Ethan T – 2017-02-09T16:54:10.953
No. CA's CN can be for example abcd.com and they may sign xyz.net, qwert.com, but before they do that they verifying owners of xyz.net or qwert.com either by simple email verification and up to asking for a passport, phone's bills and so on. That is why you trust CA because they verified domain owners and signed their certificates on success. There 3 major browsers and a few operation systems that managing CA trust and ship list of CAs with their products. If CA not in such lists of trusted CAs, one can add CA manually to certificate store and trust any other certificates they are signed – Alex – 2017-02-09T23:26:30.737