35

It would be nice to spread the trust around a bit, so we don't have to rely on just one root in any instance.

Is it possible to have a single certificate signed by more than one CA?

Ben Sand
  • 1,130
  • 3
  • 11
  • 18

5 Answers5

21

No, the X509 certificate format up to version 3 is designed to contain exactly one signature.

Community
  • 1
  • 1
President James K. Polk
  • 40,516
  • 21
  • 95
  • 125
  • 1
    But are there alternate formats which support multiple signatures? – Jumbogram Jun 29 '11 at 20:26
  • 4
    @Jumbogram: I am not aware of any alternate formats for X509 certificates that support multiple signatures. There is the PKCS#7 standard and variants which allow for multiple signatures, but these are not supported by TLS. And there are defined TLS extensions that support PGP keys which can have multiple signatures, but I don't think there is much support out there for those extensions. – President James K. Polk Jun 29 '11 at 22:28
  • Thanks. I'm trying to find out if it's possible to have multiple CAs certify the one SSL session. I realise I didn't quite ask that question, so I might rephrase and make a new one, but your answer has helped me. – Ben Sand Jun 30 '11 at 07:41
8

Yes, it is possible. You can find an example here:

http://www.confusedamused.com/notebook/fixing-verisign-certificates-on-windows-servers/

enter image description here

bedrin
  • 4,458
  • 32
  • 53
  • 4
    I'm not convinced by that article. I think the author uses "cross-signed" when he means "two certificates for the same entitiy, issued by two different chains". His screenshots also show a slightly different certificate name (LYNC-PROD-08 vs LYNC-PROD-08.fngn.com). – Duncan Jones Oct 25 '17 at 08:44
  • How would I configure both those chains in a service like nginx? AFAIK TLS1.2 only allows to receive a single chain. – Alexander Stumpf Nov 10 '22 at 16:32
7

Can a SSL certificate be signed by multiple certificate authorities?

It depends, but mostly NO. It depends on the PKI being used. There are two widespread PKIs used, and neither of them allow it.

The first widespread PKI is under CA/Browser Baseline Requirements. The CA/B BR documents what browsers are doing. The second one is the IETF's PKIX. It's what user agents like curl and wget follow. Neither of them allow it.

The CA/B and the IETF have slightly different rules. For a more in-depth discussion, see How do you sign Certificate Signing Request with your Certification Authority?

Now, there are two other options that could work for you, but they will require some work.

The first alternate option is to run your own PKI that does allow it. But browsers and other user agents won't know how to handle the certificates.

The second alternate option is to use an extension that includes the second authority's certification. Then, the primary authority, like a public CA, would sign the request with extension. Typical user agents will use the customary public CA signature, while your custom software will use the embedded alternate signature.

Extensions are usually used for policy (like conveying "extended validation" information), but it may work here. However, the IETF's PKI lacks policy, so you may need to get creative.

Also see Is it possible to have a certificate signed by 2 authorities? on Super User.

Also see Certificate with Multiple Signers? on the PKIX mailing list. PKIX is the Internet's PKI as called out by the IETF.

Arkanosis
  • 2,229
  • 1
  • 12
  • 18
jww
  • 97,681
  • 90
  • 411
  • 885
4

Yes, a certificate may be signed by multiple CA's. The term for this is cross-signing. See https://letsencrypt.org/certificates/ for a good description of how this works. Note that in the diagram at the top of the page, several of Let's Encrypt's intermediate certificates are signed by two root certificates (ISRG Root X1 and DST Root CA X3). Also, see https://security.stackexchange.com/questions/14043/what-is-the-use-of-cross-signing-certificates-in-x-509 for more info.

mti2935
  • 11,465
  • 3
  • 29
  • 33
0

No, one single certificate is signed by only one CA. But you can have two so-called cross-signed certificates, which share the same private and public key and the same common name and other common information, but signed by two different CAs. In that case, they are both equally valid alternatives for the validation of a certificate on a lower level which is issued by one of them.

martinga
  • 1