Friday, October 28, 2016

A quick and sure to know if a SSL certificate is a used as a CertAuthority

Under the x509 v3 we have special attributes  for indicating the purpose of a certificate and if it's "CA".

By using the openssl x509  we can review what's the certificate  type and if it's a CA certificate.


Take this certificate  chain where we have  two certificats  and we want to find out which one is a CA certificate from a  usage standpoint




Notice the CA: TRUE vrs the CA:FALSE if the former is set, then that's a indication it top of the chain and as  a rootCA  or intermediate certificate.

Take this Entrust Chain where we have a root, plus 2 intermediate certificates and finally the server

( I'm showing the  CA: flags for the root and intermediates outputs  truncated  )


















( now at the end of the  chain we have the server certificate, notice the CA:FALSE )







So you have a few means for validate the certificate and it's usage.

Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \



No comments:

Post a Comment