0

HTTPS security is based on the chain of trust. The initial trusted party (root authority) signs a certificate for some other party and then it can sign for some other.

Does that mean If I have a valid HTTPS certificate for my website, I can also sign certificates for others?

What stops me from doing that or in other words: How will our browser be able to detect this that the intermediate signer is a legitimate authority?

Let's say I have a valid HTTPS certificate for my toy_website.com and using that I signed a certificate for google.com and then in my internal DNS server I changed the IP mapping of google.com. Now any user connected to my internal network will try to hit google.com and he will be actually reaching some other website but its certificate is signed for the google.com so the browser will not be able to detect any issues here.

Is this possible?

Sachin Chauhan
  • 1
  • 2
    In short: you cannot use a leaf certificate (basic constraints CA:false) to issue another certificate. Only CA certificates (basic constraints CA:true) can be used for this. – Steffen Ullrich Apr 05 '23 at 12:29
  • Also related: https://security.stackexchange.com/questions/249347/what-differentiates-a-ca-cert-from-a-server-cert – mti2935 Apr 05 '23 at 13:42

0 Answers0