1

Assume you have a certificate (X509 v3) chain sent to you for validation. The chain sent to you may or may not include the root CA certificate. Is there a reliable way to find out whether this is the case?

Quite obviously only the certificate at the top of the hierarchy may be the root CA certificate, but how would I check this? I came up with a check for equality between issuer and subject, and this seems to work fine for all cases I found so far, but I'm not sure whether is foolproof.

Edit: This is not about a manual check or about which tool to use, it's about a programmatic check. So using openSSl to perform checks (as suggested in a 'possible duplicate' claim) is not an option. The question is which certificate attributes or extensions I can use in which fashion to reliably identify a root CA certificate in a given chain.

To make the question even more to the point: I suggested to check whether subject==issuer right from the beginning. The question is whether this is a foolproof approach. So is it possible to rely on the fact that this is true if and only if it is a root certificate? What happens if I create a root certificate and a derived intermediate CA certificate and, in the latter, just choose the subject equal to the issuer? Will that result in a valid certificate? (The authority key identifier may well correctly point to the key identifier of the root CA).

(Note that I did not ask how to check whether I should trust the chain. I want to know how to reliably identify a root CA certificate in a chain).

Thomas
  • 121
  • 1
  • 1
  • 6
  • 3
    "but how would I check this?" - [Use openssl to individually verify components of a certificate chain](http://security.stackexchange.com/questions/118062/use-openssl-to-individually-verify-components-of-a-certificate-chain). And the root cert is the one which is part of the chain but self-signed. – Steffen Ullrich Aug 11 '16 at 16:33

2 Answers2

3

Simply check if Issuer and Subject fields for equality. If they are equal, the certificate is self-signed and represents root certificate. Otherwise, the certificate is intermediate certificate. Of course, public key in the root certificate must validate its own signature.

Edit to follow up OP edit:

The question is which certificate attributes or extensions I can use in which fashion to reliably identify a root CA certificate in a given chain.

you must check that isCA attribute of Basic Constraints certificate extension is set to True in all CA certificates. And this extension SHALL be marked critical.

What happens if I create a root certificate and a derived intermediate CA certificate and, in the latter, just choose the subject equal to the issuer?

there are two outcomes:

The authority key identifier may well correctly point to the key identifier of the root CA

you will create a loop in the chain which is detected by most certificate chaining engines. Otherwise, the certificate will not be a part of your chain with root and intermediate certificate.

Crypt32
  • 5,901
  • 12
  • 24
  • thank you for your answer. It indicates that the check I already suggested may work, but I sitll have some doubts. See the edit to my question. Are you saying that Issuer = Subject _and_ validiation of signature will suffice? – Thomas Aug 11 '16 at 18:02
  • Subject and issuer are same in the case of a Self signed certificate also. So I don't think this is a good way of determining if a certificate is CA certificate – Sapnesh Naik Oct 29 '19 at 06:17
  • Root CA certificates are self-signed. – Crypt32 Oct 29 '19 at 06:54
0

You need to check two conditions:

  1. Issuer is the same as the Subject
  2. The certificate is trusted

The second condition is required because you might very well pass off certificates created by a random CA.

sandyp
  • 1,126
  • 1
  • 9
  • 17