Under the x509 v3 we have special attributes for indicating the purpose of a certificate and if it's "CA".
By using the openssl x509 we can review what's the certificate type and if it's a CA certificate.
Take this certificate chain where we have two certificats and we want to find out which one is a CA certificate from a usage standpoint
Notice the CA: TRUE vrs the CA:FALSE if the former is set, then that's a indication it top of the chain and as a rootCA or intermediate certificate.
Take this Entrust Chain where we have a root, plus 2 intermediate certificates and finally the server
( I'm showing the CA: flags for the root and intermediates outputs truncated )
( now at the end of the chain we have the server certificate, notice the CA:FALSE )
So you have a few means for validate the certificate and it's usage.
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=