[CLUE-Tech] signing CA private key with another CA?

David Anselmi anselmi at americanisp.net
Wed Sep 3 15:43:22 MDT 2003 

Jim Ockers wrote:

> Dave,
> 
> 
>>I don't think private keys get signed.  When you sign a public key, the 
>>result is a certificate.  Seems that you already know how to do that.
>>
>>There isn't any point to signing a private key.  You have one, it is 
>>only ever used by you.  If anyone else gets it, it is no good.
> 
> 
> The point to signing a private key would be so that the signature would
> carry forward onto public keys signed with that private key.

No.  You misunderstand signatures and certificates.  A certificate is 
your public key, plus your identity, signed (that is, encrypted) with a 
certificate authority's private key.  I can verify the signature (that 
is, decrypt it) with the CA's public key.  If it verifies, I know that 
the CA claims that you are the person identified in the cert, and that 
you posess the corresponding private key.

How do I know the CA's public key that I have really belongs to the CA? 
  Because it came installed in my browser (or I installed it after 
receiving it from a trusted source).

> Take a look at this document from Verisign:
> 
> http://www.verisign.com/repository/hierarchy/hierarchy.pdf
> 
> As you can see the main primary certificate authority certificates
> (public keys) are self-signed, using the associated private key of
> course.  These public keys are generally found in commonly used web
> browsers and other SSL client software.

Yes.  Thes are called root certificates.  The root public key and the 
root identity are signed by the root private key to create the cert. 
They are trusted by everyone because they come installed in your browser 
(because they are installed the browser trusts them, and you trust the 
browser people to have provided the correct certs).

> As you can also see, there are many other certificate authority
> delegations (public/private key pairs) in the Verisign hierarchy.
> Since the web browsers probably don't have all of the other
> certificate authority certificates (public keys) in their certificate
> stores, the only way for Verisign to delegate the authority of
> their private key to other certificate authorities would be to
> sign the delegated-CA private key.  Right?

This is called a certificate chain.  There is only one example that 
shows more than 2 levels of hierarchy, the class 2 employee (or 
contractor) CA.  So let's look at that.

An employee presents his cert and I need to verify it (the employee is 
the equivalent of a web server in this case and I perform the functions 
of a browser).

The employee cert is signed by the class 2 employee CA private key.  I 
verify it by checking it using the class 2 employee CA public key.  It 
verifies, but I don't trust the class 2 employee CA cert (it isn't 
installed in my browser).

Where did I get this CA public key?  Either the employee gave it to me 
with his cert, or I got it off a public server (the former probably, in 
the case of web server certs).  How do I know who it belongs to?  It 
comes wrapped in a certificate of its own.

Since I don't trust the class 2 employee CA cert, I verify it using the 
class 2 personnel CA public key.  Again, I got that and its cert from 
the employee.  The employee cert verifies but I don't trust the 
personnel cert either.

So I verify the personnel cert with the class 2 public primary CA public 
key.  I didn't have to get the primary CA cert from the employee, it was 
in my browser and I trust it (it is a root cert).

[...]
>>All you should need to do is issue a certificate for the new CA signed 
>>by the old CA.  Then use the new CA to issue certificates for other 
>>things.  Browsers et. al. will follow the chain of signatures to the top 
>>(the old CA) and all will be well.
> 
> 
> If I did this, the new CA certificate (public key) would then have the
> signature of the old CA's private key.  However, when the new CA issues
> certificates (signs other public keys), the signature on its public key
> has nothing to do with it.
> 
> My objective was to try to figure out a way to issue certificates with
> the new CA private key without having to update all of the web browsers
> and client software with the new CA's public key.  Even if the new CA's
> public key has the "right" signature on it, how would any old web
> browser know about that since the new CA's "public key" is not loaded
> in the web browser?

You make a certificate chain like the Verisign one above.  Your old CA 
cert is the root cert (self-signed, I assume).  Your new CA cert isn't 
self signed, it is signed by the old CA.  Your new server certs are 
signed by the new CA.  Browsers will verify your server certs with the 
new CA cert, they will verify the new CA cert with the old CA cert. 
They trust the old CA cert because you installed it in them.  You load 
the whole chain into your web server and it provides all the pieces to 
the clients.

Private keys are only ever used by the "person" to whom they belong. 
Since you're the only one who ever uses your private key, attaching your 
identity to it by signing it accomplishes nothing useful.  It is the 
public keys that the public uses.  The public needs to know who the keys 
  belong to.  The public, in checking identities only ever uses public 
keys (which are readily available because they are public).

[...]
> The only way I could think of to delegate the authority of the CA was
> to sign the private key of the new CA using the private key of the old
> CA.  I'm pretty sure this is how Verisign does it.  Do you still
> disagree?

Yes, I disagree.  Do you understand why?  If not, I guess I have to 
start from the top.

Here are the steps you need to take:

Create a certificate request for your new CA keys.  Generate a 
certificate for that request using your old CA key.

Create new keys for your servers.  Create certificate requests for your 
new server keys.  Generate certificates for your servers from their 
requests and your new CA key.

On each server, install its private key, its certificate, and the old 
and new CA certificates.

Try it out from one of your browsers that trusts your old CA.  It will 
not complain about the secure page it gets.  You will be able to examine 
the certs used to secure the page and you will see all three certs in 
the chain.

HTH,
Dave

More information about the clue-tech mailing list