With digital certificates in Top Secret, is there a way to distinguish between a Root certificate and an intermediate certificate?
There are 2 ways:
1) Issue: TSS LIST(acid) DIGICERT(certname) CHAIN
IMPORTANT: Before using the CHAIN option, be sure Top Secret r16 PTF SO15869 is applied.
The CHAIN keyword displays information about a certificate owned by a user, CERTSITE, or CERTAUTH and its issuer’s certificates owned by user CERTAUTH in a chain of certificates. (The bottom of the output will also have "Chain contains expired certificates" if there are any expired certificates in the chain.) The last certificate in the output is the root certificate. For example:
TSS LIST(CERTAUTH) DIGICERT(INTER1) CHAIN
DIGICERT = INTER1 ACCESSORID = CERTAUTH
ADMIN BY= …
LABEL = INTERMEDIATE ONE
STATUS = TRUST
SERIAL# = 01
ISSUER DISTINGUISHED NAME:
.CN=USROOTCERT.OU=MYCO.C=US
SUBJECT DISTINGUISHED NAME:
CN=INTEROPERATIONS.OU=MYCO.C=US
KEYUSAGE:
CERTSIGN
PRIVATE KEY SIZE = 1024
PRIVATE KEY TYPE = RSA
ALGORITHM = sha-1WithRSAEncryption
NOT BEFORE = 2021/02/19 00:00:00 UTC
NOT AFTER = 2022/02/19 23:59:59 UTC
CERTIFICATE WAS SIGNED BY: ACID(CERTAUTH) DIGICERT(USROOT )
DIGICERT = USROOT ACCESSORID = CERTAUTH
ADMIN BY= …
LABEL = US ROOT CERT
STATUS = TRUST
SERIAL# = 00
ISSUER DISTINGUISHED NAME:
.CN=USROOTCERT.OU=MYCO.C=US
SUBJECT DISTINGUISHED NAME:
CN=USROOTCERT.OU=MYCO.C=US
KEYUSAGE:
CERTSIGN
PRIVATE KEY SIZE = 1024
PRIVATE KEY TYPE = RSA
ALGORITHM = sha-1WithRSAEncryption
NOT BEFORE = 2021/02/19 00:00:00 UTC
NOT AFTER = 2022/02/19 23:59:59 UTC
Chain Information:
Chain contains 2 certificates
Chain is complete
TSS0300I LIST FUNCTION SUCCESSFUL
DIGICERT USROOT is the root certificate.
2) Issue: TSS LIST(acid) DIGICERT(certname) (or DIGICERT(ALL) for all certificates on the ‘acid’).
In the list output, you will see an issuer distinguished name (IDN) and a subject distinguished name (SDN). For example:
TSS LIST(acid) DIGICERT(newcert1)
DIGICERT = newcert1 ACCESSORID = acid
ADMIN BY= …
…
ISSUER DISTINGUISHED NAME:
.CN=ABCD.OU=XYZ.C=US
SUBJECT DISTINGUISHED NAME:
CN=ABCD.OU=XYZ.C=US
…
- If the IDN and SDN are the same and the certificate is on the CERTAUTH acid, the certificate is the root certificate.
- If the IDN and SDN are not the same, then the certificate is signed.
- If a certificate is signed, the IDN will indicate who signed it. For example:
DIGICERT = INTER1 ACCESSORID = CERTAUTH
ADMIN BY= …
ISSUER DISTINGUISHED NAME:
.CN=USROOTCERT.OU=MYCO.C=US
SUBJECT DISTINGUISHED NAME:
CN=INTEROPERATIONS.OU=MYCO.C=US
…
DIGICERT = USROOT ACCESSORID = CERTAUTH
ADMIN BY= …
ISSUER DISTINGUISHED NAME:
.CN=USROOTCERT.OU=MYCO.C=US
SUBJECT DISTINGUISHED NAME:
CN=USROOTCERT.OU=MYCO.C=US
DIGICERT USROOT is the root certificate since the IDN and SDN are the same.
DIGICERT INTER1 is an intermediate certificate since the IDN and SDN do not match. INTER1 is signed by USROOT since the IDN on INTER1 (CN=USROOTCERT.OU=MYCO.C=US) matches the SDN on USROOT (CN=USROOTCERT.OU=MYCO.C=US).
An intermediate certificate is a root certificate that has been signed by another root certificate. The IDN of the intermediate root certificate will show who signed it.
- If the IDN and SDN are not the same, and there is a
CERTIFICATE WAS SIGNED BY: ACID(xxx) DIGICERT(yyy)
than the certificate is an intermediate certificate. '(yyy)' is the certificate authority (CA) signing certificate.
NOTES:
- The root certificate is not signed. (If it was signed, then it would be an intermediate root.) A root certificate is self signed. In other words, it is not signed by another certificate.
- The root is the end of the certificate chain. Just like with a metal chain, there is an end. The link at the end is the root. The rest of the links are intermediate.