1
Lets say we have a business owned internal CA. Its certificate is trusted by one of the Trusted Roots that is present in all browsers.
With that CA, we issue a bunch of certificates for servers in the organisation - say for webmail over SSL.
For a user coming to visit that webmail server, and has the Trusted Root present in its trusted root certificate store, would it automatically trust the webmail server cert, even though it does not explicitly trust the business CA certificate?
My understanding that intermediate certificates inherit the trust of their signatory, but want to confirm.
Paul
Posted 2011-11-17T21:08:28.983
Reputation: 52 173
Yes, I understand the chain must be presented, but my question is explict trust of the intermediary. The certificate presented by the webserver isn't trusted in itself, but is signed by a CA that also isn't trusted, but CA cert is signed by a Root which is trusted. We trust the Webserver because it is signed by a CA thats certificate is signed by a Root? No need to trust the CA directly by having its cert in our trusted certs repository? – Paul – 2011-11-17T22:21:31.503
@Paul: Yes! This is the whole point of intermediate certs... No need to trust them explicitly, having their "parent" root CA trusted explicitly is enough. – haimg – 2011-11-18T00:42:40.640
Hold on a second. What is to stop my CA issuing a cert for microsoft.com provided I present the chain with a trusted root at the top, from my webserver? – Paul – 2011-11-23T12:44:44.763
@Paul: Nothing. Some people put too much trust into PKI. But basically "some random CA" is not much safer than self-signed cert, trust-wise. But, of course, you cannot just order a signed sub-CA from a reputable CA, without some assurances about how it is going to be used. – haimg – 2011-11-24T04:05:57.303