0

I used the below command to open a certificate of a website that I downloaded from Firefox. What part of the downloaded certificate indicates that it is a CA's certificate?

openssl x509 -in ca.crt -text -noout
John
  • 21
  • 5
  • I am sorry but your question as it is written does not make sense to me. Certificates are always issued by a CA. If you self-sign a certificate you are actually building a custom mini-CA. – Robert Jan 16 '21 at 21:21

2 Answers2

1

What part of the downloaded certificate indicates that it is a CA's certificate?

A CA certificate can be used to issue other certificates by signing these. This signature is only accepted if the issuing certificate contains the extension CA:true:

        X509v3 Basic Constraints: critical
            CA:TRUE

If this extensions is not there or not TRUE it is either a very old type of certificate which does not support any extensions at all (X.509v1 not X.509v3) or it is a leaf certificates, i.e. the end of the trust chain which can not be used to issue new certificates.

Note that there are root CA and intermediate CA certificates. A root CA is usually self-signed, i.e. subject and issuer are the same. These root CA are placed as the pre-trusted ultimate trust anchor in the local trust store and used when building the trust chain to the leaf certificate. For more see SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
0

A CA root certificate will be self-signed, and can be detected by comparing the Subject and the Issuer for the cert:

$ openssl x509 -in ca.crt -text -noout | egrep "Subject:|Issuer:"
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
$
gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • Or just `openssl x509 -in file -issuer -subject -noout` without needing grep. But not all CA certs are root certs, and neither are all self-signed certs roots – dave_thompson_085 Jan 17 '21 at 02:12