I’m learning about certificates, and would like to understand:
How is it possible for intermediate certificates to not include a
CA Issuers part?
Is it not a must so that clients can figure it the Chain of Trust?
I’d like to give here 2 examples:
One whose intermediate certificate includes a
CA Issuers (
*.stackexchange.com), and one who doesn’t (
Let’s start with
openssl s_client -connect security.stackexchange.com:443
(...) -----BEGIN CERTIFICATE----- MIIHJTCCBg2gAwIBAgISA72+1m+qM4K1gtDMN1jR2FJbMA0GCSqGSIb3DQEBCwUA(...) -----END CERTIFICATE----- (...)
Let’s save this conent into a file named
stackexchange.pem and parse it:
openssl x509 -in stackexchange.pem -text -noout
Certificate: Data: (...) X509v3 extensions: (...) Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
Now, let’s go to that issuer:
Once browsed, a file named
der encoded) is downloaded, which I’m not sure how to use
openssl to directly parse it, so let’s first convert it to
pem and save it, and then parse it:
openssl x509 -inform der -in download.cer -out download.pem openssl x509 -in download.pem -text -noout
(...) Authority Information Access: OCSP - URI:http://isrg.trustid.ocsp.identrust.com CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c
(The next certificate up the path is the root, so we’ll leave it).
Great, so both certificates have a
CA Issuers part.
Now let’s do the same for
Its leaf certificate has:
(...) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment Authority Information Access: CA Issuers - URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt OCSP - URI:http://ocsp.globalsign.com/gsrsaovsslca2018
But parsing the certificate at
http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt has no
(...) Authority Information Access: OCSP - URI:http://ocsp2.globalsign.com/rootr3
How then, should clients go up the Chain of Trust path?
Now, I know that browsers have a predefined certificates list, and also that Windows have a predefined certificates list, so technically that
udemy path may be resolved, but what if a client (let’s say it’s not a browser nor a Windows app) doesn’t have that predefined data? How can the intermediate CA certificates be followed?