Gmail X.509 certificate chain

Question

I have asked about this on several forums but never got a straight answer. If the root certificate on a certificate chain has a different fingerprint to the root certificate available for download on the CA's website, does this mean the chain is faked?

The GeoTrust root certs can be viewed here
None of them match the root cert on my chain which is;

GeoTrust Global CA
Identity: GeoTrust Global CA
Verified by
Expires: 08/21/2018

Subject Name
C (Country): US
O (Organization): GeoTrust Inc.
CN (Common Name): GeoTrust Global CA

Issuer Name
C (Country): US
O (Organization): Equifax
OU (Organizational Unit): Equifax Secure Certificate Authority

Issued Certificate
Version: 3
Serial Number: 12 BB E6
Not Valid Before: 2002-05-21
Not Valid After: 2018-08-21

Certificate Fingerprints
SHA1: 73 59 75 5C 6D F9 A0 AB C3 06 0B CE 36 95 64 C8 EC 45 42 A3
MD5: 2E 7D B2 A3 1D 0E 3D A4 B2 5F 49 B9 54 2A 2E 1A

Public Key Info
Key Algorithm: RSA
Key Parameters: 05 00
Key Size: 2048
Key SHA1 Fingerprint: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 B8 CA CC 4E
Public Key: 30 82 01 0A 02 82 01 01 00 DA CC 18 63 30 FD F4 17 23 1A 56 7E 5B DF 3C 6C 38 E4 71 B7 78 91 D4 BC A1 D8 4C F8 A8 43 B6 03 E9 4D 21 07 08 88 DA 58 2F 66 39 29 BD 05 78 8B 9D 38 E8 05 B7 6A 7E 71 A4 E6 C4 60 A6 B0 EF 80 E4 89 28 0F 9E 25 D6 ED 83 F3 AD A6 91 C7 98 C9 42 18 35 14 9D AD 98 46 92 2E 4F CA F1 87 43 C1 16 95 57 2D 50 EF 89 2D 80 7A 57 AD F2 EE 5F 6B D2 00 8D B9 14 F8 14 15 35 D9 C0 46 A3 7B 72 C8 91 BF C9 55 2B CD D0 97 3E 9C 26 64 CC DF CE 83 19 71 CA 4E E6 D4 D5 7B A9 19 CD 55 DE C8 EC D2 5E 38 53 E5 5C 4F 8C 2D FE 50 23 36 FC 66 E6 CB 8E A4 39 19 00 B7 95 02 39 91 0B 0E FE 38 2E D1 1D 05 9A F6 4D 3E 6F 0F 07 1D AF 2C 1E 8F 60 39 E2 FA 36 53 13 39 D4 5E 26 2B DB 3D A8 14 BD 32 EB 18 03 28 52 04 71 E5 AB 33 3D E1 38 BB 07 36 84 62 9C 79 EA 16 30 F4 5F C0 2B E8 71 6B E4 F9 02 03 01 00 01

Extension
Identifier: 2.5.29.35
Value: 30 16 80 14 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 98 90 9F D4
Critical: No

Subject Key Identifier
Key Identifier: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 B8 CA CC 4E
Critical: No

Basic Constraints
Certificate Authority: Yes
Max Path Length: Unlimited
Critical: Yes

Key Usage
Usages: Digital signature
Critical: Yes

Extension
Identifier: 2.5.29.31
Value: 30 31 30 2F A0 2D A0 2B 86 29 68 74 74 70 3A 2F 2F 63 72 6C 2E 67 65 6F 74 72 75 73 74 2E 63 6F 6D 2F 63 72 6C 73 2F 73 65 63 75 72 65 63 61 2E 63 72 6C
Critical: No

Extension
Identifier: 2.5.29.32
Value: 30 45 30 43 06 04 55 1D 20 00 30 3B 30 39 06 08 2B 06 01 05 05 07 02 01 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79
Critical: No

Signature
Signature Algorithm: SHA1 with RSA
Signature Parameters: 05 00
Signature: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12

Answer 1

Some public CAs have multiple roots, and more use multiple roots.

Assuming gmail means mail.google.com, as the (currently two) reports at SSLLabs show google uses its own intermediate CA, (CN) Google Internet Authority G2 issued under (CN) GeoTrust Global CA.

That Geotrust CA has a root cert with (SHA1) fingerprint beginning DE28, but also a nonroot bridge cert (included in server handshake) with fingerprint beginning 7359 under (OU) Equifax Secure Certificate Authority; that Equifax CA in turn has a root cert with fingerprint beginning D232 which was issued in 1998 so it was pretty well established and trusted when GeoTrust started in 2002 and initially was not trusted. Today the bridge cert shouldn't be needed, and pretty soon it will actually hurt because its chain expires sooner.

For more on Geotrust (and Google) anchoring, see:

• google certificates correct CA
• Different SSL cert behavior with Chrome on desktop vs. Chrome on iOS
• What happens when certificates further up the chain expires before mine? (Equifax/GeoTrust)
• https://serverfault.com/questions/589590/understanding-the-output-of-openssl-s-client

@Steffen's answer points to a comparable but slightly different case, multiple generations within Verisign.

UPDATE 2017: The Equifax root cert, and thus the GeoTrust bridge cert, are no longer valid using the MozillaNSS-also-curl truststore, see https://serverfault.com/a/841071/216633 .

Answer 2

You can have different root certificates with different fingerprints which contain the same public key. This is actually not uncommon when you are in the process of replacing a root CA. See also Multiple Versions of SSL Signing Certificate