开发者

Can a SSL certificate be signed by multiple certificate authorities?

It would be nice to spread t开发者_如何学运维he trust around a bit, so we don't have to rely on just one root in any instance.

Is it possible to have a single certificate signed by more than one CA?


No, the X509 certificate format up to version 3 is designed to contain exactly one signature.


Yes, it is possible. You can find an example here:

http://www.confusedamused.com/notebook/fixing-verisign-certificates-on-windows-servers/

Can a SSL certificate be signed by multiple certificate authorities?


Can a SSL certificate be signed by multiple certificate authorities?

It depends, but mostly NO. It depends on the PKI being used. There are two widespread PKIs used, and neither of them allow it.

The first widespread PKI is under CA/Browser Baseline Requirements. The CA/B BR documents what browsers are doing. The second one is the IETF's PKIX. It's what user agents like curl and wget follow. Neither of them allow it.

The CA/B and the IETF have slightly different rules. For a more in-depth discussion, see How do you sign Certificate Signing Request with your Certification Authority?


Now, there are two other options that could work for you, but they will require some work.

The first alternate option is to run your own PKI that does allow it. But browsers and other user agents won't know how to handle the certificates.

The second alternate option is to use an extension that includes the second authority's certification. Then, the primary authority, like a public CA, would sign the request with extension. Typical user agents will use the customary public CA signature, while your custom software will use the embedded alternate signature.

Extensions are usually used for policy (like conveying "extended validation" information), but it may work here. However, the IETF's PKI lacks policy, so you may need to get creative.


Also see Is it possible to have a certificate signed by 2 authorities? on Super User.

Also see Certificate with Multiple Signers? on the PKIX mailing list. PKIX is the Internet's PKI as called out by the IETF.


Yes, a certificate may be signed by multiple CA's. The term for this is cross-signing. See https://letsencrypt.org/certificates/ for a good description of how this works. Note that in the diagram at the top of the page, several of Let's Encrypt's intermediate certificates are signed by two root certificates (ISRG Root X1 and DST Root CA X3). Also, see https://security.stackexchange.com/questions/14043/what-is-the-use-of-cross-signing-certificates-in-x-509 for more info.


No, one single certificate is signed by only one CA. But you can have two so-called cross-signed certificates, which share the same private and public key and the same common name and other common information, but signed by two different CAs. In that case, they are both equally valid alternatives for the validation of a certificate on a lower level which is issued by one of them.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜