RFC5280 categorize certificate into two classes: CA certificates and end entity certificates, and CA certificates are divided into three classes: cross-certificates, self-issued certificates, and self-signed certificates.
certificate +- CA certificate +- cross-certificate +- self-issued certificate +- self-signed certificate +- end entity certificate
“Cross-certificates are CA certificates in which the issuer and subject are different entities. Cross-certificates describe a trust relationship between the two CAs.” [RFC5280]
“Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations.” [RFC5280]
“Self-signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths.” [RFC5280]
Self-signed certificates are special self-issued certificates, so we also can redraw the above tree as:
certificate +- CA certificate +- cross-certificate +- self-issued certificate +- self-signed certificat +- end entity certificate
Notes of Self-Signed Certificate
“The trust anchor information may be provided to the path processing procedure in the form of a self-signed certificate.” [RFC5280]
“When the trust anchor is provided in the form of a self-signed certificate, this self-signed certificate is not included as part of the prospective certification path.” [RFC5280]
Note of Self-Issued Certificate
“Name constraints are not applied to self-issued certificates (unless the certificate is the final certificate in the path).” [RFC5280]
“However, a CA may issue a certificate to itself to support key rollover or changes in certificate policies. These self-issued certificates are not counted when evaluating path length or name constraints.”
The pathLenConstraint field of basic constrains extension “gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path.”
The valude of inhibit anyPolicy extension “indicates the number of additional non-self-issued certificates that may appear in the path before anyPolicy is no longer permitted.”
Identify a Self-Issued Certificate
RFC5280 requires that if the names in the issuer and subject field in a certificate match according to the comparison rules of internationalized names in distingushed names, then the certificate is self-issued. Please refer to section 7.1 of [RFC5280] about the comparison rules.
However, RFC3280 does not define the comparison rules, which requires that, “A certificate is self-issued if the DNs that appear in the subject and issuer fields are identical and are not empty.” The specificate implies a binary comparison of the subject and issuer fields.
I think a good practice would have the same binary subject and issuer fields while issue a self-issued certificate.
Identify a Self-Signed Certificate
Sounds like a stupid title, just as its name implies, it is self signed, so it is self identifiable, i.e., the public key bound into the certificate could be used to verify the digital signature of the same certificate. Definitely, it’s true. OK, we get a bi-steps process:
- Identify that a certificate is a self-issued certificate;
- Verify the certificate digital signature with the public key bound.
That’s a precious process, but not a effective process. Digital signature verify normally hurts a lot of performance, and generally it is not needed to verify the digital signature during build a prospective certification path.
Identify a Self-Signed Certificate Effectively
Self-signed, in other words, the key bound into the certificate is the same as the key used to sign the certificate. Could we identify it by comparing the key bound and the key used to generate the certificate signature? Here comes the authority key identifier extension and the subject key identifier extension, refer to RFC3280/RFC5280 for details.
To facilitate certification path construction, the specification requires that the authority key identifier extension and the subject key identifier extension MUST be appear in all conforming CA certificate. “There is one exception; where a CA distributes its public key in the form of a “self-signed” certificate, the authority key identifier MAY be omitted.”
With the help of the two key identifier extensions, we get the following steps:
- Identify that a certificate is a self-issued certificate;
- For conforming CAs, if the subject key identifier extension appears, but no authority key identifier extension, it is a self-signed certificate; if the both appear, it is a self-signed certificate when the KeyIdentifier is identical.
- For non-conforming CAs, Verify the certificate digital signature with the public key bound.
Always issue certificate with subject key identifier extension and authority key identifier extension.
Always include the keyIdentifier field in the authority key identifier extension.
Always have the same binary subject and issuer fields while issue a self-issued certificate.
Only issue self-issued certificate as CA certificate.
For TLS, always send the intermediate self-issued certificate within the response certificate list, otherwise, the recepient normally cannot build a certification path to its trust anchors.
The Problematic Practices Encountered
- A self-signed CA certificate issues 1+ self-issued end entity certificates.
There is no problem to issue such self-issued End-Entity certificate, but I’m afraid many PKIX libraries would not be able to handle it properly. If your application dependents on third party’s PKIX library, and if you have to issue such certificates, please do check the library and make sure it supports such cases.
- A self-signed CA certificate issues a self-issued certificate as an indirect CRL issuer.
It is special example of self-issed end-entity certificate. Some CRL verification library cannot handle such a indirect CRL issuer correctly, please double check the library to make sure such indirect CRL issuer is supported.
Java SE SDK support the above two problemtic cases at OpenJDK 7 build 60. If you application have to support above cases, you need OpenJDK 7 build 60 at least.