In the PKIX documentation it mentions: The certificate representing the TrustAnchor should not be

Question

0

Editorial Team

Asked: May 21, 20262026-05-21T20:51:02+00:00 2026-05-21T20:51:02+00:00

In the PKIX documentation it mentions: The certificate representing the TrustAnchor should not be

0

In the PKIX documentation it mentions:

The certificate representing the
TrustAnchor should not be included in
the certification path

My question is, where does this restriction come from? In the RFC 5280 I only found:

A certificate MUST NOT appear more
than once in a prospective
certification path.

Does the statement (2) in RFC somehow imply statement (1)? Because I can not see it.

What problem would be created by having the trust anchor in the path as well?
In the end, the TA certificate can validate itself.

Could anyone please explain this?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-21T20:51:03+00:00

Editorial Team

2026-05-21T20:51:03+00:00Added an answer on May 21, 2026 at 8:51 pm

It’s more a definitional thing, IIUC. A valid certification path is defined in RFC 5280 and one condition is that its first certificate is signed by a trust anchor (and that the issuerName of the certificate matches that trust anchor’s name). (Trust anchors need not be certificates.)

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

In the PKIX documentation it mentions: The certificate representing the TrustAnchor should not be

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply