I'm learning about certificates, and would like to understand:
How is it possible for intermediate certificates to not include a CA Issuers
part?
Is it not a must so that clients can figure it the Chain of Trust?
I'd like to give here 2 examples:
One whose intermediate certificate includes a CA Issuers
(*.stackexchange.com
), and one who doesn't (udemy.com
).
Let's start with security.stackexchange.com
:
openssl s_client -connect security.stackexchange.com:443
Outputs:
[...]
-----BEGIN CERTIFICATE-----
MIIHJTCCBg2gAwIBAgISA72+1m+qM4K1gtDMN1jR2FJbMA0GCSqGSIb3DQEBCwUA[...]
-----END CERTIFICATE-----
[...]
Let's save this conent into a file named stackexchange.pem
and parse it:
openssl x509 -in stackexchange.pem -text -noout
Outputs:
Certificate:
Data:
[...]
X509v3 extensions:
[...]
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
Now, let's go to that issuer:
http://cert.int-x3.letsencrypt.org/
Once browsed, a file named download.cer
(der
encoded) is downloaded, which I'm not sure how to use openssl
to directly parse it, so let's first convert it to pem
and save it, and then parse it:
openssl x509 -inform der -in download.cer -out download.pem
openssl x509 -in download.pem -text -noout
Outputs:
[...]
Authority Information Access:
OCSP - URI:http://isrg.trustid.ocsp.identrust.com
CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c
(The next certificate up the path is the root, so we'll leave it).
Great, so both certificates have a CA Issuers
part.
Now let's do the same for udemy.com
.
Its leaf certificate has:
[...]
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
OCSP - URI:http://ocsp.globalsign.com/gsrsaovsslca2018
But parsing the certificate at http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
has no CA Issuers
:
[...]
Authority Information Access:
OCSP - URI:http://ocsp2.globalsign.com/rootr3
How then, should clients go up the Chain of Trust path?
Now, I know that browsers have a predefined certificates list, and also that Windows have a predefined certificates list, so technically that udemy
path may be resolved, but what if a client (let's say it's not a browser nor a Windows app) doesn't have that predefined data? How can the intermediate CA certificates be followed?