Re: X509 V1 intermediate CA vs end-entity
You can find out if the V1 cert verifies directly with any of the certificates in the trust store or its own public key. There's pretty much nothing else you can do with it, other than try to link it to a Distinguished Name that may or may not be useful. Also, (EXFLAG_V1|EXFLAG_SS) doesn't tell you if it's intended to be a CA certificate. X.509 actually disclaims the idea of self-signed certificates altogether (except as containers for trust anchors). -Kyle H On Tue, Sep 25, 2012 at 10:33 PM, sanjaya joshi wrote: > Hi steve, > Thanks. Got it. > That means we can't differentiate between CA and end-entity in case of V1 > certificate. > We can only find out if the V1 cert is a self-signed certificate or not. > Correct ? > > Regards, > Sanjaya > > > On Wed, Sep 26, 2012 at 2:36 AM, Dr. Stephen Henson > wrote: >> >> On Tue, Sep 25, 2012, sanjaya joshi wrote: >> >> > >> > We can conclude an X509 V1 certificate to be a root ca using >> > (EXFLAG_V1|EXFLAG_SS). >> > Similarly, is there a way to know whether an X509 V1 certificate is an >> > intermediate CA or end-entity certificate ? >> > >> >> You can't: there is nothing in a V1 certificate to mark it as a CA. You >> can't >> actually be sure it is a root CA using the test you mentioned above: it >> could >> be a self signed end entity certificate. >> >> Steve. >> -- >> Dr Stephen N. Henson. OpenSSL project core developer. >> Commercial tech support now available see: http://www.openssl.org >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager majord...@openssl.org > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 V1 intermediate CA vs end-entity
Hi steve, Thanks. Got it. That means we can't differentiate between CA and end-entity in case of V1 certificate. We can only find out if the V1 cert is a self-signed certificate or not. Correct ? Regards, Sanjaya On Wed, Sep 26, 2012 at 2:36 AM, Dr. Stephen Henson wrote: > On Tue, Sep 25, 2012, sanjaya joshi wrote: > > > > > We can conclude an X509 V1 certificate to be a root ca using > > (EXFLAG_V1|EXFLAG_SS). > > Similarly, is there a way to know whether an X509 V1 certificate is an > > intermediate CA or end-entity certificate ? > > > > You can't: there is nothing in a V1 certificate to mark it as a CA. You > can't > actually be sure it is a root CA using the test you mentioned above: it > could > be a self signed end entity certificate. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: X509 V1 intermediate CA vs end-entity
On Tue, Sep 25, 2012, sanjaya joshi wrote: > > We can conclude an X509 V1 certificate to be a root ca using > (EXFLAG_V1|EXFLAG_SS). > Similarly, is there a way to know whether an X509 V1 certificate is an > intermediate CA or end-entity certificate ? > You can't: there is nothing in a V1 certificate to mark it as a CA. You can't actually be sure it is a root CA using the test you mentioned above: it could be a self signed end entity certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 V1 intermediate CA vs end-entity
Can you figure out a way to do it from the v1 fields? keyUsage is an extension requiring v3. -Kyle H On Sep 24, 2012 11:28 PM, "sanjaya joshi" wrote: > Hi, > > We can conclude an X509 V1 certificate to be a root ca using > (EXFLAG_V1|EXFLAG_SS). > Similarly, is there a way to know whether an X509 V1 certificate is an > intermediate CA or end-entity certificate ? > > Regards, > Sanjaya >