问题
Is it possible to sign a new certificate using a certificate signed by a CA as the CA for other certificates and still have them validated by the root CA?
Example:
# create new key
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
....
# send csr to ca for signing
....
# now what if we make a new key and sign it with the received crt?
openssl genrsa -des3 -out newkey.key 2048
openssl req -new -key newkey.key -out newkey.csr
openssl x509 -req -in newkey.csr -CA server.crt -CAkey server.key -CAcreateserial -out newcert.crt -days 500
Why is it not possible to do this? I tried using this new cert for a service and the browser complains that the certificate lacks CA chain. Basically I want to use one certificate that is signed for the domain and create new certificates for subdomains using domain certificate as CA for the subdomains. How is this process designed to work?
回答1:
Whether or not a certificate can be used to sign another certificate is defined by the basic constraints field of the certificate. When you submit a CSR to a CA, the certificate returned by the CA should specify that the certificate cannot be used to sign other certificates in the basic constraints field.
Otherwise, this would open the door to anyone being able to create a fake certificate for any site. For example, I could create a CSR for mysite.com, get the certificate signed by a CA like VeriSign, then create a CSR for www.paypal.com and use the certificate for mysite.com to sign the certificate for www.paypal.com. Then, I would have a valid certificate for www.paypal.com. But, I'm not paypal.com.
Notwithstanding, many early SSL implementations in early browsers and even some early versions of OpenSSL did not check the basic constraints field of the certificates in a certificate chain, so this was a vulnerability that could be exploited. Security researcher Moxie Marlenspike was active in bringing this to the public's attention which forced browser makers to fix this. See http://www.thoughtcrime.org/ie-ssl-chain.txt for more info.
回答2:
Why is it not possible to do this?
mti2935 had a good answer. To summarize, it breaks the trust model under most circumstances.
I tried using this new cert for a service and the browser complains that the certificate lacks CA chain.
Install the signing certificate in the "Trusted Certificate" store.
Basically I want to use one certificate that is signed for the domain and create new certificates for subdomains using domain certificate as CA for the subdomains.
Will there be a unique certificate for each subdomain, or will there be one certificate with all subdomains list in the Subject Alternate Name?
The former is doable - you just buy a new certificate for each subdomain. The later is a little more difficult, but not impossible.
To do the latter, you typically use an subordinate root or intermediate that allows you to mint end-entity certificates as you need them. If you are running your own private PKI, then you can do it. In the private PKI case, you tell your users to install your trust anchor (or "CA root") in their "Trusted Certificate" store.
If you want to avoid browser warnings and the like without requiring a user to install your trusted root, then you need to get it touch with folks like Trustwave. They have sold these types of certificates in the past. More correctly, they put the private key in hardware so the appliance could be sold for a higher price and the private key could not be copied. See, for example, Trustwave admits issuing man-in-the-middle digital certificate.
How is this process designed to work?
It depends on the use case. PKI is PKI and any introductory book will lay out the concepts. But a private PKI has a different model than the browsers because they are different use cases.
来源:https://stackoverflow.com/questions/21319841/signing-certificate-with-another-certificate-signed-by-ca