I an thinking about this issue and it is hard to estimate technical impacts. For

Question

I an thinking about this issue and it is hard to estimate technical impacts.

For any relevant reasons, one want to modify one the x509 field of an intermediate CA. This intermediate CA was signed by root CA, and it has already issued some end certificates.

I want Root CA to sign again this intermediate certificate because one field as changed (even a useless field), so the certificate produced a new hash, and so a new signature is made by the root. Suppose you replace the old one by the new certificate (its new signature), what is happening :

Is intermediate certificate still trust ? I guess it is as the signature is valid (even if "fresh" one) and we can verify it with Root certificate.

Also, as the intermediate public key has never changed, the end certificates are still valid, and we can verify it (with intermediate public key).

So obviously, the intermediate certificate content has changed, but we can still use it as it is signed by Root, and its public key is still the same.

I suppose there are impacts I couln't see.

Explanation / Answer

Signing will be done by the key only, so as long the key is not changed all signatures done by this certificate are still valid. But, when building the trust chain for a certificate it will look at the certificates issuer field and then search for a certificate having this issuer as the subject. Only after it found a certificate (or multiple) having this expected subject it will use them to verify the signature.

This means, that you should be able to change any information in the certificate as long as the public key and the subject stay the same.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.