Re: Distinguishing a CA certificate from an end entity certificate Reg.

Thu, 23 Feb 2012 11:20:32 -0800 

On 2/23/2012 10:49 AM, Ashok C wrote:

Hi,
What would be the most efficient and easiest way to distinguish a CA certificate from an actual server/client(end entity) certificate? We were thinking of identifying the CA with the "CA:TRUE" constraint from the text display, but again this check does not cover x509 v1 certificates where this extension is not present. 
Is there any command/openSSL API available which would serve this purpose?



Ah, a classic FAQ.  I think I answered a very similar question
last year, but here we go again.

In practice you need to distinguish 4 kinds of certificate:

1. CA Root.  Recognized by being signed by itself (Subject
Distinguished Name exactly same as Issuer Distinguished Name),
by having the CA property not set to FALSE (in other words, it
is TRUE or absent), by having the similar flags and bits in
the other usage properties also allowing use as a CA and by
usually having one of the words "ROOT" or "CA" as a word
substring of its common name (CN in the Subject).  (A word
substring is a substring bordered on both sides by end/start
of string or by a non-letter).

2. Intermediary CA.  Recognized by NOT being signed by itself,
but still having the various usage properties allowing or not
preventing use as a CA.

3. Self-Signed End Entity.  Recognized by being signed by
itself, but failing one or more of the other checks for being
a CA root, and/or by having a subject name which is directly
usable for an end entity (e.g. a domain name or e-mail
address).  These tend to be created quite sloppily, so the
only sure test is if someone uses it as an end entity
certificate.  The next best test is that anything not on
YOUR list of trusted CA roots is not a CA root until overridden
by human intervention based on hard offline evidence.

4. Regular End Entity.  Recognized by NOT being signed by
itself AND being explicitly marked with one or more attributes
preventing use as a CA (most professional CA's don't allow end
entity certificates to act as intermediary CAs, as it would
completely nullify their identity checking efforts and thus
the trustworthiness of their root CA cert).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to