Jump to content
  • Finding a Certificate Chain (and more with X.509, PKI and TLS/SSL)

    Manoj Chaurasia

    Attached is a PPT in PDF form that covers a good amount of ground on X.509, PKI, and TLS/SSL.

    1. All Browsers will validate a chain, but when you go to find the chain, the browsers will pick the first certificate based on the Distinguished Name.  Many CA cert vendors are re-releasing 'same-named' CA certs, so the chain can be a 'false chain'.  Why is this?  It is cryptographically cheaper to parse a public key and certificate than it is to validate the signature, and it is not always possible to trace serial numbers, so Browser vendors look to the DN/CN and pick the first one they find...Bob is Bob, even if the DNA is different? No.

    2. Sites are not under any obligation to send the full chain.  I have many examples of partial chains, usually missing the self-signed ROOT.

    3. Some sites are 'rooted' (pun intended) with a very old CA - X.509v1-based - and modern infrastructure may reject them for valid security reasons.


    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...