Cross-signing non-self-signed third party certificate
Jochen Bern
Jochen.Bern at binect.de
Tue May 30 12:26:35 UTC 2023
On 30.05.23 14:00, openssl-users-request at openssl.org digested:
> From: Yannik Sembritzki <yannik at sembritzki.org>
>
> I am trying to cross-sign a third party certificate which is *not* self
> signed (e.g. a third party intermediate CA, or even a particular client
> certificate) [...]
> This results in the following error: /Error with certificate to be
> certified - should be self-signed//
[...]
> Could anybody explain the reason for this restriction?
I'm not saying that these hands down invalidate each and every use case,
but off the top of my head:
1. The cert (or, for that matter, CSR) being *self* signed serves as
proof that the requesting party is in possession of the private key.
2. You want to sign info on the subject you verified, not someone else's
interpretation of the subject; e.g., a person's cert from a 3rd party
CA giving the OU as "FooBar E-Mail-Reply Verified Personal
Certificates" is unlikely to correctly state the dpt. the person
works in. (Assuming that you would want to copy *anything* beyond the
pubkey from the preexisting cert into the new one, of course.)
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230530/a35a5aa0/attachment.p7s>
More information about the openssl-users
mailing list