Trying to create something similar to this

[Sir Asvald]

Hello everyone I'm trying to create something similar to this

Spoiler

I've got 3 Root CAs 1 is from my actual network and I've got a new "business" Called AstarSecurity. I am using Windows based CA, How can I achieve something like this?

[unijab]

The question is can you create your own internal CA authority?? The answer would be yes.

[Sir Asvald]

3 minutes ago, unijab said:

The question is can you create your own internal CA authority?? The answer would be yes.

Sorry I've worded it wrong. I've already got an Internal CA In fact, I've got 3 2 tier PKI setups. The question is How can I achieve what is in the picture? It's a CrossCA between 2 roots. Certum's Root CA and SSL's Root CA.

 

If you take a look here, It shows that there is more than 1 trust path. That is what I want to set up.

Spoiler

 

 

[Sir Asvald]

@leadeater You know your way around Windows Server. Do you have any ideas?

[Acedia]

Unless I am missing something vital certificates are only ever signed by one CA.

What is your goal here?

[Sir Asvald]

2 minutes ago, Acedia said:

Unless I am missing something vital certificates are only ever signed by one CA.

What is your goal here?

My goal is to have 2 trust paths that lead to the either Root CAs.

 

If you see here, there are 2 trust paths. That is what I want to achieve.

 

Spoiler

 

[Acedia]

1 hour ago, Abdul201588 said:

My goal is to have 2 trust paths that lead to the either Root CAs.

 

If you see here, there are 2 trust paths. That is what I want to achieve.

 

  Hide contents

 

If you ask me that's not what's happening here. Certificate 3 in both chains is the same but with different fingerprints.

[Sir Asvald]

16 minutes ago, Acedia said:

If you ask me that's not what's happening here. Certificate 3 in both chains is the same but with different fingerprints.

[Mikensan]

I can't think of a need for this since using certificates does not need active communication to the servers, there's no need for redundancy. Also how would you revoke a certificate if there's two governing bodies? 

 

The issue is each child certificate has to be signed by a parent and you can only have one signature per. So you can only have one path.

 

Do you have any examples of this being actively used? I went to ssl.com, and their chain is a single path - with each certificate only having a single signature.

[Sir Asvald]

52 minutes ago, Mikensan said:

I can't think of a need for this since using certificates does not need active communication to the servers, there's no need for redundancy. Also how would you revoke a certificate if there's two governing bodies? 

 

The issue is each child certificate has to be signed by a parent and you can only have one signature per. So you can only have one path.

 

Do you have any examples of this being actively used? I went to ssl.com, and their chain is a single path - with each certificate only having a single signature.

Yes, Entrustdatacard, Comodo (They've become Sectigo). Most do it because of older devices that might have issues when connecting to websites that you older algorithms such as SHA-1 and now older devices that do not support SHA-2. I've got the same problem. So devices wont work with SHA2. 

[Mikensan]

49 minutes ago, Abdul201588 said:

Yes, Entrustdatacard, Comodo (They've become Sectigo). Most do it because of older devices that might have issues when connecting to websites that you older algorithms such as SHA-1 and now older devices that do not support SHA-2. I've got the same problem. So devices wont work with SHA2. 

What in the world are you using that doesn't support SHA2? SHA2 was supported by Win XP era, and as far as I'm aware you can't get a cert from any CA with SHA1. Comodo, Entrust, and Sectigo all do not support SHA1. Even their big brother DigiCert doesn't support SHA1.

Also all major CAs shipped with O/S's were mandated to stop cutting SHA1 certs and all SHA1 issued certs after the mandate are to expire no later than 2016...

 

If you really have a need for SHA1 then create a new intermediate with SHA1 and only cut SHA1 certs from that intermediate. I've never seen two root separate CAs oversee each other's intermeidates, it doesn't make sense - do you have an article?

 

I'm familiar with Microsoft's CA server and setting up a PKI, have never came across a scenario or need for multiple root CAs to work together. Certificates are like leaves on a tree, only a single stem and only a single trunk but there can certainly be plenty of branches to other leaves.

[Sir Asvald]

19 minutes ago, Mikensan said:

What in the world are you using that doesn't support SHA2? SHA2 was supported by Win XP era, and as far as I'm aware you can't get a cert from any CA with SHA1. Comodo, Entrust, and Sectigo all do not support SHA1. Even their big brother DigiCert doesn't support SHA1.

Also all major CAs shipped with O/S's were mandated to stop cutting SHA1 certs and all SHA1 issued certs after the mandate are to expire no later than 2016...

 

If you really have a need for SHA1 then create a new intermediate with SHA1 and only cut SHA1 certs from that intermediate. I've never seen two root separate CAs oversee each other's intermeidates, it doesn't make sense - do you have an article?

 

I'm familiar with Microsoft's CA server and setting up a PKI, have never came across a scenario or need for multiple root CAs to work together. Certificates are like leaves on a tree, only a single stem and only a single trunk but there can certainly be plenty of branches to other leaves.

I meant their Root CAs are all SHA1 that is why they create a cross sign between SHA1 and SHA2

 

This is Entrust's RootCA

 

 

Using SHA1

 

This is other one, using SHA2

 

[Mikensan]

Root CAs are not checked and are not required to be SHA2 right now. That second you pictured is just an intermediate CA, still doesn't show two separate root CAs managing it.

 

This is a common practice, so are you simply asking how to create an intermediate CA?

[Mikensan]

Just to add in case it's misunderstood - a root CA should not be cutting certificates to websites, like a tree trunk doesn't grow leaves. A root CA should only issue certificates to an intermediate CA who can either further issue a certificate to another intermediate or to servers/clients/whatever. Just depends on the business needs.

 

Root CAs are explicitly trusted, once you create it and create an intermediate CA you shut it off until you need to manage/creat/revoke an intermediate CA.

 

 All intermediate CAs will be SHA2(256 or greater). So the root CA having SHA1 is not going to help older clients.

[Sir Asvald]

18 minutes ago, Mikensan said:

Root CAs are not checked and are not required to be SHA2 right now. That second you pictured is just an intermediate CA, still doesn't show two separate root CAs managing it.

 

This is a common practice, so are you simply asking how to create an intermediate CA?

 

5 minutes ago, Mikensan said:

Just to add in case it's misunderstood - a root CA should not be cutting certificates to websites, like a tree trunk doesn't grow leaves. A root CA should only issue certificates to an intermediate CA who can either further issue a certificate to another intermediate or to servers/clients/whatever. Just depends on the business needs.

 

Root CAs are explicitly trusted, once you create it and create an intermediate CA you shut it off until you need to manage/creat/revoke an intermediate CA.

 

The SSL connection is only going to care about the intermediate CAs when it verifies the chain. All intermediate CAs will be SHA2(256 or greated). So the root CA having SHA1 is not going to help older clients.

This is the chain for entrust

 

 

 

 

[Mikensan]

3 minutes ago, Abdul201588 said:

 

This is the chain for entrust

 

 

 

 

"Entrust" is the root CA,

"Entrust Root Certificate Authority - G2" and "Entrust Certification Authority - L1M" are intermediate CAs

"sitecore.entrustdatacard.com" is the website certificate.

 

You label a certificate anyway you want, just because the second link in the chain is labeled "root" doesn't mean it is.

[Sir Asvald]

Just now, Mikensan said:

"Entrust" is the root CA,

"Entrust Root Certificate Authority - G2" and "Entrust Certification Authority - L1M" are intermediate CAs

"sitecore.entrustdatacard.com" is the website certificate.

 

You label a certificate anyway you want, just because the second link in the chain is labeled "root" doesn't mean it is.

Then explain this:

 

[Mikensan]

I have no idea where you are getting this graphic from, but if you open either of the bottom two inetrmediate CAs you will only find a single root CA in the chain. Every endpoint cert will only ever have one root CA in the chain. You cannot sign a certificate with two authorities, who/whatever created the graphic is wrong unless it is implying something else. The second signature would change the certificate invaldiating the first signature. A hash is changed when the file/certificate is changed.

 

A root CA being SHA1 does not help older clients in any way what so ever, because the intermeidate CAs (even your graphic showcases this) are always going to be SHA2. If the client has an issue with SHA2 it will immedately fail (very unlikely since SHA2 has been supported since 2004-ish) with every public website using a mainstream CA since all intermediates are SHA2.

 

You'll never see these two blue boxes supporting one another's intermediate/sub CA.

[Sir Asvald]

1 minute ago, Mikensan said:

 

Here is the link.

 

https://www.htbridge.com/ssl/?id=0estrNZL

 

The same goes for Comodo (Sectigo, DigiCert, GlobalSign)

[Mikensan]

That's a misleading graphic, using SSL Labs I downloaded both chains and had a look see and now I see what they did. It is a smart way to phase out the old Root CA without breaking the whole chain. It's not for compatibility, it's to keep the chain short and ever growing.

https://www.ssllabs.com/ssltest/analyze.html?d=entrustdatacard.com

 

The two G2 certs you see in the htbridge graphic is the same server with two certs. On signed by Entrust's Root, and one signed by itself.

 

Actually pretty nifty way to "cut" out the old root CA without just creating a whole new PKI. Just going to use ABCD, A being root D being client.

 

A issues itself then B who issues C who issues D. Path 1

B then issues itself a certificate, becoming a "root" CA. This doesn't change that B created C who created D. Path 2 (The branch becomes the trunk but the leaves are still the same)

 

 

So to recreate this if you wanted to for fun, create a Root CA, then create an intermedia CA, and a Sub. Then log back into the Intermedia CA and assign itself a certificate.

 

However this still doesn't help old clients.

[Sir Asvald]

37 minutes ago, Mikensan said:

That's a misleading graphic, using SSL Labs I downloaded both chains and had a look see and now I see what they did. It is a smart way to phase out the old Root CA without breaking the whole chain. It's not for compatibility, it's to keep the chain short and ever growing.

https://www.ssllabs.com/ssltest/analyze.html?d=entrustdatacard.com

 

The two G2 certs you see in the htbridge graphic is the same server with two certs. On signed by Entrust's Root, and one signed by itself.

 

Actually pretty nifty way to "cut" out the old root CA without just creating a whole new PKI. Just going to use ABCD, A being root D being client.

 

A issues itself then B who issues C who issues D. Path 1

B then issues itself a certificate, becoming a "root" CA. This doesn't change that B created C who created D. Path 2 (The branch becomes the trunk but the leaves are still the same)

 

 

So to recreate this if you wanted to for fun, create a Root CA, then create an intermedia CA, and a Sub. Then log back into the Intermedia CA and assign itself a certificate.

  

However this still doesn't help old clients.

So This is what I have;

 

 

Which CA do I reissue the certificate?

[Mikensan]

3 minutes ago, Abdul201588 said:

So This is what I have;

 

 

Which CA do I reissue the certificate?

You wouldn't reissue as much as you would issue a new additional one. It would be your second server from the top with the longest name.

[Sir Asvald]

4 minutes ago, Mikensan said:

You wouldn't reissue as much as you would issue a new additional one. It would be your second server from the top with the longest name.

I am sorry I am not thinking clearly. Do I Issue the same Certificate?