Can a SSL certificate be signed by multiple certif

2019-03-14 17:40发布

It would be nice to spread the trust around a bit, so we don't have to rely on just one root in any instance.

Is it possible to have a single certificate signed by more than one CA?

3条回答
在下西门庆
2楼-- · 2019-03-14 17:47
Anthone
3楼-- · 2019-03-14 17:52

No, the X509 certificate format up to version 3 is designed to contain exactly one signature.

查看更多
Summer. ? 凉城
4楼-- · 2019-03-14 17:54

Can a SSL certificate be signed by multiple certificate authorities?

It depends, but mostly NO. It depends on the PKI being used. There are two widespread PKIs used, and neither of them allow it.

The first widespread PKI is under CA/Browser Baseline Requirements. The CA/B BR documents what browsers are doing. The second one is the IETF's PKIX. It's what user agents like curl and wget follow. Neither of them allow it.

The CA/B and the IETF have slightly different rules. For a more in-depth discussion, see How do you sign Certificate Signing Request with your Certification Authority?


Now, there are two other options that could work for you, but they will require some work.

The first alternate option is to run your own PKI that does allow it. But browsers and other user agents won't know how to handle the certificates.

The second alternate option is to use an extension that includes the second authority's certification. Then, the primary authority, like a public CA, would sign the request with extension. Typical user agents will use the customary public CA signature, while your custom software will use the embedded alternate signature.

Extensions are usually used for policy (like conveying "extended validation" information), but it may work here. However, the IETF's PKI lacks policy, so you may need to get creative.


Also see Is it possible to have a certificate signed by 2 authorities? on Super User.

Also see Certificate with Multiple Signers? on the PKIX mailing list. PKIX is the Internet's PKI as called out by the IETF.

查看更多
登录 后发表回答