Cross-signing non-self-signed third party certificate

Yannik Sembritzki yannik at
Thu Jun 1 17:51:46 UTC 2023

On 30.05.23 14:26, Jochen Bern wrote:
> 1. The cert (or, for that matter, CSR) being *self* signed serves as
>    proof that the requesting party is in possession of the private key.
> 2. You want to sign info on the subject you verified, not someone else's
>    interpretation of the subject; e.g., a person's cert from a 3rd party
>    CA giving the OU as "FooBar E-Mail-Reply Verified Personal
>    Certificates" is unlikely to correctly state the dpt. the person
>    works in. (Assuming that you would want to copy *anything* beyond the
>    pubkey from the preexisting cert into the new one, of course.)

Hi Jochen,

While these points may be relevant in some environments, I don't think 
of them as enough reason to completely forbid users from cross-signing 
non-self-signed certificates.
Finally, this should be up to the user.

In our specific use case, it is us wanting to trust part of a third 
party pki, but restrict this trust by cross-signing with a name 
constraint. The third party may not be very interested in this ("simply 
import our ca as is"), but we want to do it, because internal pkis are 
not held to the same standard as public CAs which are bound by the 
CA/Browser Forum Baseline requirements.

Best regards

More information about the openssl-users mailing list