intermediate root authority cross chain validation

2019-09-16 08:27发布

问题:

I have created a root CA(CA-R) and two intermediary CA's(CA-I1 & CAI2)(all self-signed).

Using CA-I1, I generated a private key for a server1/client1, CSR & created the certs. Installed the certs for Server1(Apache2) and client1.Im successfully able to connect to the server1 using my client1(python client).

Here is the chain -> client1->server1->CA-I1->root CA

Using CA-I2, I generated a private key for a server2/client2, CSR & created the certs. Installed the certs for Server2(Apache2) and client2. Im successfully able to connect to the server2 using my client2(python client).

Here is the chain -> client2->server2->CA-I2->root CA.

Now, I would like to know if using client2 can I connect to server1 by adding the certs of the CA-I1(as both CA-I1 & CA-I2 are from same Root CA)part of python client. Basically want to know if I can cross chain authenticate.

回答1:

Here is the chain -> client1->server1->CA-I1->root CA

I hope you did not sign the client certificates with the server certificates as your question suggests but that you signed the client certificates with the CA certificates (i.e. CA-I1, CA-I2). Otherwise this would only work if the server certificate would be both used as a leaf certificate for server authentication and as a CA certificate to sign the client certificate. These different kinds of use cases are better not merged into a single certificate. Thus what you should actually use is:

   server1 -> CA-I1 -> root-CA
   client1 -> CA-I1 -> root-CA
   server2 -> CA-I2 -> root-CA
   client2 -> CA-I2 -> root-CA

... if using client2 can I connect to server1 by adding the certs of the CA-I1(as both CA-I1 & CA-I2 are from same Root CA)part of python client

Each client and server can trust several CA and the certificates used for client and server certificate validation can actually be different. But, considering that server1 trusts any certificate signed by root-CA for client authentication it will trust both client1 and client2, providing that all intermediate certificates needed to build the trust chain to root-CA are sent by the client together with the leaf certificate. This is not different from server authentication.