2

If I use openssl to create a certificate authority (CA) root (e.g. this blog post or this MDN article) and use it to sign a certificate signing request (CSR), is the resulting signed certificate considered "self-signed" by current desktop PC browsers (Firefox, Chrome, IE)?

Does the answer depend on whether or not the CA root certificate is installed as a trusted authority in the relevant certificate manager?

My understanding is that the answer should be "No, and no." but I have a problem and don't know where my understanding is incorrect.

Stephen T. Robbins
  • 105
  • 1
  • 1
  • 8
  • This question appears to belong on another site in the Stack Exchange network because its not about programming or development. Perhaps you should try [Super User](http://superuser.com/), [Information Security Stack Exchange](http://security.stackexchange.com/) or [Crypto Stack Exchange](http://crypto.stackexchange.com/). – jww Mar 12 '15 at 23:43
  • *"My understanding is that the answer should be "No, and no." but I have a problem and don't know where my understanding is incorrect"* - you probably have problems with your DNS names. See this question: [How to create a self-signed certificate with openssl?](http://stackoverflow.com/a/27931596/608639) – jww Mar 12 '15 at 23:45
  • Wow I did not realize that Stack was so fragmented/siloed. I have my answer. Should I still move the question? Unless someone is really sure, then I'd err on the side of leaving it here so the next person can find out about the other relevant Stack sites. – Stephen T. Robbins Mar 13 '15 at 14:24
  • I am trying to make my own CA but am failing with browser errors which, when Googled, always brought up the question "Did you self-sign?". I was pretty sure not (since the CA and the end-entity use different private keys), but did not know for certain and could not find an authoritative answer. I saw that line from Wikipedia but wasn't sure if browsers decided to perceive things differently based on, for example, the organization field. – Stephen T. Robbins Mar 13 '15 at 14:30
  • Post the CA cert and the Server cert (end-entity cert). You can do so with `openssl x509 -in -text -noout>`. I've never had a problem "becoming my own CA", but I know where a number of landmines lay. – jww Mar 13 '15 at 19:21
  • http://stackoverflow.com/questions/29018917/when-does-firefox-throw-ssl-error-bad-cert-domain-with-a-wildcard-certificate Identified the source of my current problem. I assumed **[incorrectly]** that "a wildcard certificate" would also match the naked domain name natively from misreading the entry in Wikipedia [missed the word "not"; kind of important; oops]. – Stephen T. Robbins Mar 14 '15 at 00:02

1 Answers1

4

According to Wikipedia,

a self-signed certificate is one signed with its own private key.

That is, its creation does not require the signing of a certificate request by a certificate authority. And thus it does not matter whether or not the CA certificate is trusted on the local machine.

EDIT

According to the RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile:

CA certificates may be further divided into three classes: cross-certificates, self-issued certificates, and self-signed certificates. Cross-certificates are CA certificates in which the issuer and subject are different entities. Cross-certificates describe a trust relationship between the two CAs. Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations. Self-signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths.

Daniel W
  • 527
  • 1
  • 5
  • 13
  • Dude.... I laughed when I saw that... delete that answer before it gets down voted into oblivion... Check [RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile](http://www.ietf.org/rfc/rfc5280.txt) if you need a definition of a self signed certificate *with* the relevant bits. It surely does not digest into one sentence... – jww Mar 13 '15 at 00:27
  • 1
    @jww I don't see any difference, just an expansion. If issuer = subject, issuer private key = subject private key, so Daniel's one-liner is perfectly valid. – user207421 Mar 13 '15 at 02:54