{"id":1469,"date":"2015-10-29T14:49:32","date_gmt":"2015-10-29T18:49:32","guid":{"rendered":"https:\/\/risacher.org\/jfdi\/?p=1469"},"modified":"2016-08-23T11:48:56","modified_gmt":"2016-08-23T15:48:56","slug":"what-happens-when-you-sign-a-pki-server-certificate-with-another-non-ca-server-cert","status":"publish","type":"post","link":"https:\/\/risacher.org\/jfdi\/2015\/10\/what-happens-when-you-sign-a-pki-server-certificate-with-another-non-ca-server-cert\/","title":{"rendered":"What happens when you sign a PKI server certificate with another (non-CA) server cert?"},"content":{"rendered":"<p><strong>tl;dr<\/strong> For years, I have wondered what would happen if you tricked OpenSSL into signing a server certificate with a non-CA cert. Unsurprisingly, nothing useful. Interesting, but not useful.<!--more--><\/p>\n<p>So, I&#8217;m a cheapskate and I buy the el-cheapo domain-control-validated SSL certificates for risacher.org for $17\/year. That gets me a cert with alternative names &#8220;risacher.org&#8221; and &#8220;www.risacher.org&#8221;. I currently host risacher.org on Amazon&#8217;s EC2 service, but I also have a few apps that I host for myself on the server in my basement, connected via my residential internet service. Since the web apps on this server are not used by anyone but me, I&#8217;ve been content to use self-signed certificates for it.<\/p>\n<p>But I&#8217;ve always wondered &#8211; what would happen if you tricked OpenSSL into thinking you are a Certificate Authority (CA), and signing a certificate for &#8220;basement.risacher.org&#8221; using the certificate for &#8220;risacher.org&#8221; as the CA cert?\u00a0 Could you act as your own CA &#8220;for free&#8221; to create unlimited subdomain certificates?<\/p>\n<p>This should not work. The server certificate include a constraint that says it is not a CA certificate.\u00a0 It basically shouldn&#8217;t even be possible, but math is math, and the signing operations are the same for a CA certificate as they are for any other certificate. If you have the public &amp; private keys, the rest is just formatting &amp; metadata, right?<\/p>\n<p>Long-story short, I finally tried this yesterday. I created a certificate signing request for the server in my basement, and I signed it with the $17 server cert that I got from &#8220;PositiveSSL&#8221;, which chains up to &#8220;USERTrust&#8221;. It took some minor trickery to get OpenSSL to do this, but it wasn&#8217;t particularly difficult.\u00a0 Once installed, both Firefox and Internet Explorer reject the certificate as invalid, and provide no option to accept the risk and use it anyway. Internet Explorer simply reports &#8220;There is a problem with this website\u2019s security certificate.&#8221; Firefox gives slightly more information in that it names the error &#8220;sec_error_inadequate_key_usage&#8221;, an error message I don&#8217;t think I&#8217;ve ever seen before.<\/p>\n<p>Interestingly, I also tried to access it with Mobile Safari, which reported an invalid certificate but <em><strong>did<\/strong><\/em> allow me to accept the risk.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>tl;dr For years, I have wondered what would happen if you tricked OpenSSL into signing a server certificate with a non-CA cert. Unsurprisingly, nothing useful. Interesting, but not useful.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,21],"tags":[],"class_list":["post-1469","post","type-post","status-publish","format-standard","hentry","category-it","category-pki"],"_links":{"self":[{"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/posts\/1469","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/comments?post=1469"}],"version-history":[{"count":10,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/posts\/1469\/revisions"}],"predecessor-version":[{"id":1505,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/posts\/1469\/revisions\/1505"}],"wp:attachment":[{"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/media?parent=1469"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/categories?post=1469"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/tags?post=1469"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}