1

Lets say we have a business owned internal CA. Its certificate is trusted by one of the Trusted Roots that is present in all browsers.

With that CA, we issue a bunch of certificates for servers in the organisation - say for webmail over SSL.

For a user coming to visit that webmail server, and has the Trusted Root present in its trusted root certificate store, would it automatically trust the webmail server cert, even though it does not explicitly trust the business CA certificate?

My understanding that intermediate certificates inherit the trust of their signatory, but want to confirm.

Paul
  • 59,223
  • 18
  • 147
  • 168

1 Answers1

1

The browser must trace the certificates chain to one of the CA certificates it trusts explicitly. So, if the chain is RootCA(trusted) -> IntermediateCA -> YourCert, the browser must have the intermediate CA certificate in order to validate the chain.

If you're using Apache, you can use SSLCertificateChainFile directive to let the web server present the intermediate certificate (your internal CA) to the browser. Then it will all work ok. I'm sure similar mechanisms exist in all other major web servers.

haimg
  • 22,193
  • 16
  • 79
  • 113
  • Yes, I understand the chain must be presented, but my question is explict trust of the intermediary. The certificate presented by the webserver isn't trusted in itself, but is signed by a CA that also isn't trusted, but CA cert is signed by a Root which is trusted. We trust the Webserver because it is signed by a CA thats certificate is signed by a Root? No need to trust the CA directly by having its cert in our trusted certs repository? – Paul Nov 17 '11 at 22:21
  • @Paul: Yes! This is the whole point of intermediate certs... No need to trust them explicitly, having their "parent" root CA trusted explicitly is enough. – haimg Nov 18 '11 at 00:42
  • Hold on a second. What is to stop my CA issuing a cert for microsoft.com provided I present the chain with a trusted root at the top, from my webserver? – Paul Nov 23 '11 at 12:44
  • @Paul: Nothing. Some people put too much trust into PKI. But basically "some random CA" is not much safer than self-signed cert, trust-wise. But, of course, you cannot just order a signed sub-CA from a reputable CA, without some assurances about how it is going to be used. – haimg Nov 24 '11 at 04:05