Difference between self-signed CA and self-signed certificate [closed]

by

First, about the distinction between key and certificate (regarding “CA key”), there are 3 pieces used when talking about public-key certificates (typically X.509): the public key, the private key and the certificate.
The public key and the private key form a pair. You can sign and decrypt with the private key, you can verify (a signature) and encrypt with the public key. The public key is intended to be distributed, whereas the private key is meant to be kept private.

A public-key certificate is the combination between a public key and various pieces of information (mostly regarding the identity of the owner of the key pair, whoever controls the private key), this combination being signed using the private key of the issuer of the certificate.
An X.509 certificate has a subject distinguished name and an issuer distinguished name. The issuer name is the subject name of the certificate of the entity issuing the certificate. Self-signed certificates are a special case where the issuer and the subject are the same.
By signing the content of a certificate (i.e. issuing the certificate), the issuer asserts its content, in particular, the binding between the key, the identity (the subject) and the various attributes (which may indicate intent or scope of usage for the certificate).

On top of this, the PKIX specification defines an extension (part of a given certificate) which indicates whether a certificate may be used as a CA certificate, that is, whether it can be used as an issuer for another certificate.

From this, you build a chain of certificates between the end-entity certificate (which is the one you want to verify, for a user or a server) and a CA certificate you trust. There may be intermediate CA certificates (issued by other CA certificates) between the end-entity certificate of your service and the CA certificate you trust. You don’t strictly need a root CA at the top (a self-signed CA certificate), but it’s often the case (you may choose to trust an intermediate CA certificate directly if you wish).

For your use case, if you generate a self-signed certificate for a specific service, whether it has the CA flag (basic constraints extension) doesn’t really matter. You would need it to be a CA certificate to be able to issue other certificates (if you want to build your own PKI). If the certificate you generate for this service is a CA certificate, it shouldn’t do any harm. What matters more is the way you can configure your client to trust that certificate for this particular server (browsers should let you make an explicit exception quite easily for example). If the configuration mechanism follows a PKI model (without using specific exceptions), since there won’t be a need to build a chain (with just one certificate), you should be able to import the certificate directly as part of the trust anchors of your client, whether it’s a CA certificate or not (but this may depend on the configuration mechanism of the client).

More Related Contents:

  1. How to generate a self-signed SSL certificate using OpenSSL?
  2. Installation SSL in wamp server: Error in httpd-ssl.conf
  3. Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
  4. How can I generate a self-signed certificate with SubjectAltName using OpenSSL? [closed]
  5. Docker container SSL certificates
  6. How do I restore a missing IIS Express SSL Certificate?
  7. Third-Party Signed SSL Certificate for localhost or 127.0.0.1?
  8. Use self signed certificate with cURL?
  9. How to install OpenSSL in windows 10?
  10. How to add subject alernative name to ssl certs?
  11. Why does Python requests ignore the verify parameter?
  12. curl: Unknown error (0x80092012) – The revocation function was unable to check revocation for the certificate
  13. Generating client side certificates in browser and signing on server
  14. Are HTTPS URLs encrypted?
  15. How to fix the “java.security.cert.CertificateException: No subject alternative names present” error?
  16. “SSL: certificate_verify_failed” error when scraping https://www.thenewboston.com/
  17. Import certificate as PrivateKeyEntry
  18. How to ignore PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?
  19. Within a web browser, is it possible for JavaScript to obtain information about the HTTPS Certificate being used for the current page?
  20. SSL error with Python requests despite up-to-date dependencies
  21. Nginx configuration leads to endless redirect loop
  22. What does “SSLError: [SSL] PEM lib (_ssl.c:2532)” mean using the Python ssl library?
  23. How to create a self-signed certificate for a domain name for development on Windows 10 and below?
  24. kubectl unable to connect to server: x509: certificate signed by unknown authority
  25. Webpack Dev Server running on HTTPS/Web Sockets Secure
  26. PushSharp APNS production: The credentials supplied to the package were not recognized (development works fine though)
  27. SSL Certificate add failed when binding to port
  28. Java: Loading SSL Keystore via a resource
  29. How to connect to database with SSL in google apps script?
  30. Ignore self-signed ssl cert using Jersey Client [duplicate]

Leave a Comment