Should the trusted Root CA be a part of the certificate chain?

早过忘川 提交于 2020-01-03 04:15:13

问题


I'm setting up 2-way SSL communication between services on different hosts. Let's say I have my own CA called A. A is trusted by all of my services through a centralized jks. Now let's say I have certificate B signed by A. When services send the certificate should they be sending the entire chain B - A, or just B? I believe both tend to work with most implementations.

I tried to find canonical information about this online, but I'm coming up with nothing.

Thanks for the help


回答1:


As per tls - Validating an SSL certificate chain according to RFC 5280: Am I understanding this correctly? - Information Security Stack Exchange:

the server should send the exact chain that is to be used; the server is explicitly allowed to omit the root CA, but that's all.

Reference (RFC 5246 - TLS v1.2, sec. 7.4.2. - Server Certificate):

certificate_list

This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.




回答2:


The idea behind the trusted root CA is that it is trusted. Would you expect the browser to trust anything sent by the server just because it includes a root CA? No!

Therefore the root CA must be already at the client and must be trusted there. It should not be included in the certificate chain by the server, but if you do it anyway browsers will simply ignore it.



来源:https://stackoverflow.com/questions/34945244/should-the-trusted-root-ca-be-a-part-of-the-certificate-chain

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!