What are the points of differentiation between the CA cert and the server cert?

375    Asked by AndrewJenkins in SQL Server , Asked on Dec 29, 2021

When compared, on what basis can CA cert be differentiated from the server cert? 

In a blog, I read the basics of both i.e

Server Certificate

Server certificates (SSL certificates) are used to authenticate the identity of a server. When installed on a website, an SSL certificate turns the protocol on the website from HTTP to HTTPS [Difference b/w HTTP and https] and installs indicators that vouch for the authenticity of the website. Thus, users can know the website belongs to the said entity. Apart from authentication, SSL certificates also facilitate Encryption. Meaning, any information a user sends to the server is protected from the reaches of any ill-intended 3rd party.

Client Certificate

In cryptography, a client certificate can be defined as a digital certificate used to authenticate the identity of the requester – email user or website user, to a remote server. A client certificate ensures the server that it is communicating with a legitimate user.

Client certificates are used to validate the identity of a client (user). The user, in this case, might be a website user or an email user. Simply put, it works as a password, but without any intervention/input from the user. This way, the server makes sure that it’s connecting to the permitted user and that party is safe to communicate with.


Answered by Andrew Jenkins

This only makes sense if the root is saying not only "this intermediate cert is who they claim to be," but "this intermediate cert is allowed to issue new certs on my behalf." When signing a CA Cert, the CA asserts indeed that the private key belongs to a particular entity and what that private key is allowed to do. Being allowed to sign certificates is one of the possible "authorizations". In practice, the owner of the private key can sign whatever he wants with it. However, compliant web browsers would reject signatures that are cryptographically valid but do not match the purposes of the certificate. Root and intermediate CAs therefore have fields that indicate they are allowed to sign SSL certificates. The fields can vary. For example, these extensions would ensure the certificate can sign other certs:

X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:TRUE
    X509v3 Key Usage: critical
        Certificate Sign, CRL Sign

Interestingly, a CA can limit how long the chain of intermediate CA can be, by specifying a pathlen. Therefore, it is possible for example that, the day you create the root certificate, you impose that no intermediate CA can be derived from the root by setting the pathlen to zero. In that case, even if the root mistakingly signs a certificate with CA extensions, certificates signed by the intermediate cert should be rejected by well behaved browsers.



Your Answer

Interviews

Parent Categories