search cancel

Distinguish In Top Secret Between Root Certificate And Intermediate Certificate

book

Article ID: 49457

calendar_today

Updated On:

Products

Cleanup WEB ADMINISTRATOR FOR TOP SECRET Top Secret Top Secret - LDAP

Issue/Introduction

With digital certificates in Top Secret, is there a way to distinguish between a Root certificate and an intermediate certificate?

Environment

Release:
Component: AWAGNT

Resolution

There are 2 ways:
1) Issue: TSS LIST(acid) DIGICERT(certname) CHAIN

IMPORTANT: Before using the CHAIN option, be sure Top Secret r16 PTF SO15869 is applied.

The CHAIN keyword displays information about a certificate owned by a user, CERTSITE, or CERTAUTH and its issuer’s certificates owned by user CERTAUTH in a chain of certificates. (The bottom of the output will also have "Chain contains expired certificates" if there are any expired certificates in the chain.) The last certificate in the output is the root certificate. For example:

TSS LIST(CERTAUTH) DIGICERT(INTER1) CHAIN

DIGICERT = INTER1           ACCESSORID = CERTAUTH
   ADMIN BY= …
LABEL      = INTERMEDIATE ONE
STATUS     = TRUST
SERIAL#    = 01
ISSUER DISTINGUISHED NAME:
             .CN=USROOTCERT.OU=MYCO.C=US
SUBJECT DISTINGUISHED NAME:
             CN=INTEROPERATIONS.OU=MYCO.C=US
KEYUSAGE:
             CERTSIGN
PRIVATE KEY SIZE = 1024
PRIVATE KEY TYPE = RSA
ALGORITHM = sha-1WithRSAEncryption
NOT BEFORE = 2021/02/19  00:00:00 UTC
NOT AFTER  = 2022/02/19  23:59:59 UTC
CERTIFICATE WAS SIGNED BY:  ACID(CERTAUTH) DIGICERT(USROOT  )
DIGICERT = USROOT           ACCESSORID = CERTAUTH
   ADMIN BY= …
LABEL      = US ROOT CERT
STATUS     = TRUST
SERIAL#    = 00
ISSUER DISTINGUISHED NAME:
             .CN=USROOTCERT.OU=MYCO.C=US
SUBJECT DISTINGUISHED NAME:
             CN=USROOTCERT.OU=MYCO.C=US
KEYUSAGE:
             CERTSIGN
PRIVATE KEY SIZE = 1024
PRIVATE KEY TYPE = RSA 
ALGORITHM = sha-1WithRSAEncryption
NOT BEFORE = 2021/02/19  00:00:00 UTC
NOT AFTER  = 2022/02/19  23:59:59 UTC
Chain Information:
    Chain contains    2 certificates
    Chain is complete
TSS0300I  LIST     FUNCTION SUCCESSFUL

DIGICERT USROOT is the root certificate. 

2) Issue: TSS LIST(acid) DIGICERT(certname) (or DIGICERT(ALL) for all certificates on the ‘acid’).

In the list output, you will see an issuer distinguished name (IDN) and a subject distinguished name (SDN). For example:

TSS LIST(acid) DIGICERT(newcert1)

DIGICERT = newcert1         ACCESSORID = acid
   ADMIN BY= …
… 
ISSUER DISTINGUISHED NAME:
             .CN=ABCD.OU=XYZ.C=US
SUBJECT DISTINGUISHED NAME:
             CN=ABCD.OU=XYZ.C=US
…                                  

      - If the IDN and SDN are the same and the certificate is on the CERTAUTH acid, the certificate is the root certificate. 

      - If the IDN and SDN are not the same, then the certificate is signed.
            - If a certificate is signed, the IDN will indicate who signed it. For example:

DIGICERT = INTER1           ACCESSORID = CERTAUTH
   ADMIN BY= …
ISSUER DISTINGUISHED NAME:
             .CN=USROOTCERT.OU=MYCO.C=US
SUBJECT DISTINGUISHED NAME:
             CN=INTEROPERATIONS.OU=MYCO.C=US


DIGICERT = USROOT           ACCESSORID = CERTAUTH
   ADMIN BY= …
ISSUER DISTINGUISHED NAME:
             .CN=USROOTCERT.OU=MYCO.C=US
SUBJECT DISTINGUISHED NAME:
             CN=USROOTCERT.OU=MYCO.C=US

DIGICERT USROOT is the root certificate since the IDN and SDN are the same.
DIGICERT INTER1 is an intermediate certificate since the IDN and SDN do not match. INTER1 is signed by USROOT since the IDN on INTER1 (CN=USROOTCERT.OU=MYCO.C=US) matches the SDN on USROOT (CN=USROOTCERT.OU=MYCO.C=US). 

An intermediate certificate is a root certificate that has been signed by another root certificate. The IDN of the intermediate root certificate will show who signed it.

      - If the IDN and SDN are not the same, and there is a
            CERTIFICATE WAS SIGNED BY: ACID(xxx) DIGICERT(yyy)
        than the certificate is an intermediate certificate. '(yyy)' is the certificate authority (CA) signing certificate.

NOTES: 
- The root certificate is not signed. (If it was signed, then it would be an intermediate root.) A root certificate is self signed. In other words, it is not signed by another certificate. 
- The root is the end of the certificate chain. Just like with a metal chain, there is an end. The link at the end is the root. The rest of the links are intermediate.