2

I know that a certificate that's been signed by a CA contains identifiers for both the subject and the issuer's public keys:

$ openssl x509 -in cert.pem -text
X509v3 Subject Key Identifier: 
                EC:27: ...
X509v3 Authority Key Identifier: 
                keyid:AF:08: ...

I can extract the public key of the subject:

$ openssl x509 -in cert.pem -pubkey
-----BEGIN PUBLIC KEY-----
T5l...
-----END PUBLIC KEY-----

Is it possible to extract the full public key of the issuer? Is a special type of certificate required to do this?

If the .pem file doesn't contain the issuer's public key, then how does validation work - is the identifier sufficient to check that a certificate has been signed by the identifier's corresponding public key?

mijiturka
  • 123
  • 1
  • 5

1 Answers1

1

The issuers public key is not part of a certificate. Only the public key of the subject itself is contained in the certificate. The issuers public key is contained in the issuers certificate (CA certificate) which need to be known by the one validating the subjects certificate.

See SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? for more information.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434