1

I've been trying to follow certificate chains of random websites I visit and see if I do indeed find them in my Windows 10 trusted root certificate authority store. I almost never find an exact match, especially with the Common Name "CN" attribute. So which of the subject attributes eg (CN, OU, O, L, S, C, etc) does your browser use to say "Oh, this certificate out of the trusted certificate chain, matches this particular one I already have installed and trust"?

Ultratrunks
  • 113
  • 3
  • I thought name matching for path construction involved the full issuer vs subject name. Can you include details of the certificate path and what browser you're using? – Marc Jan 01 '18 at 15:42
  • I added a comment to Steffen Ullrich's answer explaining what happened. – Ultratrunks Jan 02 '18 at 19:57

1 Answers1

3

The full subject of the issuer certificate should match the full issuer attribute of the issued certificate.

I almost never find an exact match, especially with the Common Name "CN" attribute.

My guess is that you look at the issuer of the server certificate and then try to find the matching root CA. But usually there is an intermediate CA in between server certificate and root CA. This means the issuer of the server certificate is the intermediate CA and the issuer of the intermediate CA is the root CA.

In other words: The server certificate is not issued directly by the root CA. The issuer of the server certificate is therefore not the subject of the root CA. And you cannot find the root CA just by looking at the server certificates issuer.

Instead you have to explicitly take intermediate certificates into account. For example:

Server certificate of security.stackexchange.com:

subject: /C=US/ST=NY/L=New York/O=Stack Exchange, Inc./CN=*.stackexchange.com
issuer:  /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA

Intermediate certificate - subject matches issuer of server certificate:

subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
issuer:  /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

Root CA - subject matches issuer of intermediate certificate:

subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
issuer:  /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

For more information see also SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Yes, you are correct. Also, what added to the confusion is that the certificate path tab uses **friendly name** when available instead of **subject**. For example if you look at the path for the cert for stackexchange.com https://imgur.com/a/MwhRo you see that the root cert is "DigiCert", however if we go and open up that cert https://imgur.com/a/LNaYP we see that it was actually issued to "DigiCert High Assurance EV Root CA". So that was tricking me as well. I should of been searching for thumbprints and things would of matched up for me. – Ultratrunks Jan 02 '18 at 17:21