Cross-signing non-self-signed third party certificate
yannik at sembritzki.org
Thu Jun 1 17:51:46 UTC 2023
On 30.05.23 14:26, Jochen Bern wrote:
> 1. The cert (or, for that matter, CSR) being *self* signed serves as
> proof that the requesting party is in possession of the private key.
> 2. You want to sign info on the subject you verified, not someone else's
> interpretation of the subject; e.g., a person's cert from a 3rd party
> CA giving the OU as "FooBar E-Mail-Reply Verified Personal
> Certificates" is unlikely to correctly state the dpt. the person
> works in. (Assuming that you would want to copy *anything* beyond the
> pubkey from the preexisting cert into the new one, of course.)
While these points may be relevant in some environments, I don't think
of them as enough reason to completely forbid users from cross-signing
Finally, this should be up to the user.
In our specific use case, it is us wanting to trust part of a third
party pki, but restrict this trust by cross-signing with a name
constraint. The third party may not be very interested in this ("simply
import our ca as is"), but we want to do it, because internal pkis are
not held to the same standard as public CAs which are bound by the
CA/Browser Forum Baseline requirements.
More information about the openssl-users