Search

SearchSearch

Dec 13, 2025, 2 min read

CA Certificate Trust Issue

Safeguarding the Private Key

CAs must protect their private key because if it is leaked, they can no longer fulfill their role. The holder of the leaked key can issue certificates at will. If a private key is compromised, it would be catastrophic for the CA. All certificates issued by the CA would need to be revoked, websites would need to redeploy new certificates, and if clients do not promptly revoke the compromised CA, they could be at risk of accessing fraudulent servers, leading to potential account theft and fraud.

Given the numerous websites that need certificates (including reissuance upon expiration), it would be highly inefficient for the CA to access the private key from a secure vault for each certificate issuance.

Use of Intermediate Certificates

To address this, the CA Root certificate usually does not directly issue certificates to websites. Instead, it issues an intermediate certificate, which is then used to issue certificates to websites.

This is where x509 comes in: if a client trusts the CA, then the client should trust certificates issued by the CA, and should trust certificates issued by those certificates, and so on. However, does this mean that a certificate issued to me by the CA can be used by me to issue other certificates? That would mean anyone could use the CA’s credibility to issue certificates.

Certificate Signing

Of course not. CA-issued certificates include an X509v3 Basic Constraints: critical field, with the value CA:FALSE. By downloading the certificate for this blog and using the OpenSSL tool to parse it, you can see that in this certificate chain, both the Root and Intermediate certificates have CA:TRUE, while my certificate has CA:FALSE.

The CA:FALSE value on certificates issued to entities means that even if they issue a certificate, it won’t be trusted. Can we modify this field to issue certificates? 

The answer is yes, but if I modify my own certificate, the modified certificate will no longer be trusted.

Reference

All I Know About Certificates — Certificate Authority | PixelsTech

Backlinks

  • No backlinks found