Does a truststore need the sub-ca certificate?

ぐ巨炮叔叔 提交于 2019-12-08 16:57:08

问题


I'm trying to setup a hierarchical PKI. Can I create a truststore containing only the root ca certificate, and will that mean my application trusts certificates signed by a sub-ca certificate which is in turn signed by the root ca?

As an aside, it seems that you must provide an entire certificate chain, including the root ca certificate. Surely if the root ca is trusted, the certificate shouldn't need to be sent? We just want to check if the next certificate down is signed by it.


回答1:


The trust store should only contain the root CAs, not intermediates.

An identity store should contain private keys, each associated with its certificate chain, except for the root.

Many, many applications in the wild are misconfigured, and when trying to identify themselves (say, a server authenticating itself with SSL), they only send their own certificate, and are missing the intermediates. There are fewer that mistakenly send the root as part of the chain, but this is less harmful. Most certificate path builders will just ignore it, and find a path to a root from their trusted key store.

The suppositions in the original question are right on target.



来源:https://stackoverflow.com/questions/353010/does-a-truststore-need-the-sub-ca-certificate

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!