views:

347

answers:

1

I'm trying to setup a hierarchical PKI. Can I create a truststore containing only the root ca certificate, and will that mean my application trusts certificates signed by a sub-ca certificate which is in turn signed by the root ca?

As an aside, it seems that you must provide an entire certificate chain, including the root ca certificate. Surely if the root ca is trusted, the certificate shouldn't need to be sent? We just want to check if the next certificate down is signed by it.

+2  A: 

The trust store should only contain the root CAs, not intermediates.

An identity store should contain private keys, each associated with its certificate chain, except for the root.

Many, many applications in the wild are misconfigured, and when trying to identify themselves (say, a server authenticating itself with SSL), they only send their own certificate, and are missing the intermediates. There are fewer that mistakenly send the root as part of the chain, but this is less harmful. Most certificate path builders will just ignore it, and find a path to a root from their trusted key store.

The suppositions in the original question are right on target.

erickson