Valid SSL certificate issuing fradulent certificates

2018-06-07 02:22:40

I believe I mostly understand the verification chain related to SSL certificates. However there is a scenario I am unsure about. Consider this scenario: a trusted CA signs a certificate for Server A. The owner of this valid certificate uses the Server A private/public key to sign a fraudulent certificate for a malicious entity (Server B).

If a client were to connect to another entity and malicious server B was in the middle, couldn't it send back its certificate and be verified by the client as being authentic? ie Server B sends its public cert and Server A's cert, the client machine verifies that: trusted CA issued server As cert (so its valid) and server As key was used to issue server B (since A is trusted, B is trusted).

I guess phrased in another way, does every intermediate certificate authority need to be in the trusted certificate store (it seems like the answer is yes)

A normal SSL certificate can't be using for signing other certificates. You need a signing certificate. A trusted CA will only sign a signing certificate for an entity that it also trusts, and there is a whole 'nother level of checking around that.

链接地址: http://www.djcxy.com/p/21824.html

上一篇: ACE SSL错误：对等方没有返回证书

下一篇: 有效的SSL证书颁发欺诈性证书