my situation:
I am working on a application that is using openssl and rsa-certificates for secure communication with other parties.
so we need to exchange certificates.
so far so good.
mostly the partners certificate is a from a CA signed certificate (not a root certi or a selfsigend certi).
on my notebook (debian) I have from the distribution the most common rootCA-certificates installed in my openssl infrastrucutre. so I can verify the most partner-certificates because I have the issuer-root-certis.
my problem:
on my master-maschine I do not have pre-installed root-certis. so I need to check the partners-certi for the issuer, get this from the internet, put it into my trusted certi dir in openssl etc……
my question:
is this the normal way to do this???? Its a bit extensive and also a bit tricky if it is a longer chain.
thanks for help!
regards,chris
The purpose of having the root certificates preinstalled is because they serve as the top of the chain of trust (actually it’s more of a tree, or forest of trees…).
By having them preinstalled we assume (although we all know what people say about assuming) that they are not compromised and can be used to verify any other certificate. While it could be possible to compromise them by e.g. hacking into an FTP server and messing with the DVD images of a Linux distribution, it’s not very easy and it’s not going to stay undetected for long, nor can it target a specific organization.
In your case, you should do one of the following:
Install the root certificates in your system using a package from your system vendor. For a relatively high level of confidence, you should download the same package from two different locations, preferrably via different ISPs (e.g. from home and from work) and from two or three different mirrors. Then you can compare the downloaded files, which should be identical. If your system vendor provides checksums for their package files online you should verify those as well.
Take the root certificates from a trusted system via a USB drive and transfer them to your system. You should examine the security of the trusted system beforehand. Using a pristine Linux install from an official installation disk would be a good source.
Install at least one root certificate securely (e.g. via the USB drive method), then
try to track down the issuer certificates for your partners. For each issuer certificate you should manually verify and install any other certificates up the chain of trust till you reach a preinstalled root certificate. This can be a very tedious procedure and you WILL get frustrated, since most CAs use multiple certificates for various reasons, from reducing the impact of a potential compromise to marketing and business reasons.
You should NEVER install a certificate downloaded from the Internet as a trusted CA, unless you can verify its validity up to a preinstalled certificate.
So as an answer to your question: Unless you have a lot of time and patience, along with a will to learn a lot more about PKIs than most people would want, just find a way to install the proper root certificate on your system.
EDIT:
I forgot to mention that some OS vendors (e.g. SuSE) have their own certificates preinstalled in their package management system. In that case downloading packages from the official repositories using that package management system should be secure enough that you don’t need to bother with any of the above to ensure the validity of the root certificate package.