10.3 Using Root Certificates

10.3.1 Problem

You want to do certificate validation, but you need the correct certificates from the certification authorities you intend to support.

10.3.2 Solution

The certificates that you need can be obtained from the authority themselves, but unfortunately, many CAs do not make them easy to get. OpenSSL includes several of the more common root CA certificates, but it is not a complete collection. Popular web browsers such as Internet Explorer for Windows also allow you to export the certificates they contain.

A much more in-depth survey of all the common root certificates (particularly the ones found in Microsoft's Internet Explorer) is available in the Root Report, available for sale from the PKI Laboratory (http://www.pkiclue.com).

10.3.3 Discussion

You should either obtain certificates directly from the CA over a trusted medium or check the fingerprints of certificates you find on the net or in your browser against fingerprints published in a trusted source. You can do this by calling the CA, or you can compare against the fingerprints published in this book.

Table 10-1 lists information about the root certificates for several prominent CAs. The information was collected from Internet Explorer for Windows, but it contains only those CAs that also publish CRLs. You can download these certificates (in PEM format) from the book's web site, but be sure to check the fingerprint of the certificate against the fingerprint listed in this book. To check the fingerprint using the OpenSSL command-line tool, use the command:

openssl x509 -fingerprint -noout -in cert.pem

where cert.pem is the name of the file containing the certificate that you wish to check.

Note that most CAs have multiple certificates, so you should figure out what type of certificate is right for your application. Generally, CAs will have at least one type of certificate intended for secure servers. They may also have "personal" certificates for user identification and even multiple types of personal certificates. Be sure to check the description to figure out which certificates are relevant to your application.

Because most certificates eventually expire, there may be multiple root certificates of the same type from the same CA at one time. For example, for a few years, VeriSign had three different valid root certificates for their "class 3" PKI, which was generally for server certificates. One of those has now expired, and another one will expire in 2004.

Here we detail only a subset of certificates that are distributed with Internet Explorer for Windows. Certificates in this list may expire, in which case you should go directly to the CA or to some other trusted source. At the time of writing, any valid certificate signed by one of the CAs listed in Table 10-1 is likely to be signed by one of the associated certificates.

Usually, you should not simply trust all root certificates. For example, email certificates (class 1) do not really offer a guarantee about who is on the other end. In addition, you will want to validate other information about certificates, even if the CA's signature is valid (see Recipe 10.4 through Recipe 10.7).

The "use" column in the table indicates the kind of certificate the root CA certificate uses to sign. Generally, certificates are intended for one of the following purposes:

Secure email

The CA is rarely validating anything other than the fact that the person with the private key associated with the certificate has access to the email address listed in the certificate. Such certificates are used in the S/MIME secure email standard.

Client authentication

The CA (or its subordinate) has done reasonable validation on the identity of the entity to which the certificate is issued.

Server authentication

Used primarily for electronic commerce over the Web. The CA or its subordinate has done validation on the identity of the entity to which the certificate is issued.

Code signing

Used for validating the vendor that produced mobile code. The CA or its subordinate has done validation on the identity of the entity to which the certificate is issued.

Time stamping

Used for proving the existence of data at a specific date and time.

Table 10-1. CA certificates, their uses, expiration dates, and fingerprints

CA

Certificate

Use

Expires (GMT)

MD5 fingerprint

Equifax

Secure Certificate Authority

Secure email, server authentication, code signing

2018-08-22 16:41:51

67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4

Equifax

Secure eBusiness CA-1

Secure email, server authentication, code signing

2020-06-21 04:00:00

64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D

Equifax

Secure eBusiness CA-2

Secure email, server authentication, code signing

2019-06-23 12:14:45

AA:BF:BF:64:97:DA:98:1D:6F:C6:08:3A:95:70:33:CA

Equifax

Secure Global eBusiness CA-1

Secure email, server authentication, code signing

2020-06-21 04:00:00

8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC

RSA Data Security

Secure Server

Server authentication

2010-01-07 23:59:59

74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

Thawte

Server

Code signing, server authentication

2020-12-31 23:59:59

C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D

TrustCenter

Class 1

Secure email, server authentication

2011-01-01 11:59:59

8D:26:FF:2F:31:6D:59:29:DD:E6:36:A7:E2:CE:64:25

TrustCenter

Class 2

Secure email, server authentication

2011-01-01 11:59:59

B8:16:33:4C:4C:4C:F2:D8:D3:4D:06:B4:A6:5B:40:03

TrustCenter

Class 3

Secure email, server authentication

2011-01-01 11:59:59

5F:94:4A:73:22:B8:F7:D1:31:EC:59:39:F7:8E:FE:6E

TrustCenter

Class 4

Secure email, server authentication

2011-01-01 11:59:59

0E:FA:4B:F7:D7:60:CD:65:F7:A7:06:88:57:98:62:39

UserTrust Network

UTN-UserFirst-Object

Code signing, time stamping

2019-07-09 18:40:36

A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9

UserTrust Network

UTN-UserFirst-Network Applications

Secure email, server authentication

2019-07-09 18:57:49

BF:60:59:A3:5B:BA:F6:A7:76:42:DA:6F:1A:7B:50:CF

UserTrust Network

UTN-UserFirst-Hardware

Server authentication

2019-07-09 18:19:22

4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39

UserTrust Network

UTN-UserFirst-Client Authentication and Email

Secure email

2019-07-09 17:36:58

D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7

UserTrust Network

UTN-DataCorp SGC

Server authentication

2019-06-24 19:06:30

B3:A5:3E:77:21:6D:AC:4A:C0:C9:FB:D5:41:3D:CA:06

ValiCert

Class 1 Policy Validation Authority

Secure email, server authentication

2019-06-25 22:23:48

65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB

VeriSign

Class 1 Public PCA

Secure email, client authentication

2020-01-07 23:59:59

51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20

VeriSign

Class 1 Public PCA

Secure email, client authentication

2028-01-08 23:59:59

97:60:E8:57:5F:D3:50:47:E5:43:0C:94:36:8A:B0:62

VeriSign

Class 1 Public PCA (2nd Generation)

Secure email, client authentication

2018-05-18 23:59:59

F2:7D:E9:54:E4:A3:22:0D:76:9F:E7:0B:BB:B3:24:2B

VeriSign

Class 1 Public PCA (2nd Generation)

Secure email, client authentication

2028-08-01 23:59:59

DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83

VeriSign

Class 2 Public PCA

Secure email, client authentication, code signing

2004-01-07 23:59:59

EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

VeriSign

Class 2 Public PCA

Secure email, client authentication, code signing

2028-08-01 23:59:59

B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E

VeriSign

Class 2 Public PCA (2nd Generation)

Secure email, client authentication, code signing

2018-05-18 23:59:59

74:A8:2C:81:43:2B:35:60:9B:78:05:6B:58:F3:65:82

VeriSign

Class 2 Public PCA (2nd Generation)

Secure email, client authentication, code signing

2028-08-01 23:59:59

2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1

VeriSign

Class 3 Public PCA

Secure email, client authentication, code signing, server authentication

2004-01-07 23:59:59

78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D

VeriSign

Class 3 Public PCA

Secure email, client authentication, code signing, server authentication

2028-08-01 23:59:59

10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67

VeriSign

Class 3 Public PCA (2nd Generation)

Secure email, client authentication, code signing, server authentication

2018-05-18 23:59:59

C4:63:AB:44:20:1C:36:E4:37:C0:5F:27:9D:0F:6F:6E

VeriSign

Class 3 Public PCA (2nd Generation)

Secure email, client authentication, code signing, server authentication

2028-08-01 23:59:59

A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9

VeriSign

Commercial Software Publishers

Secure email, code signing

2004-01-07 23:59:59

DD:75:3F:56:BF:BB:C5:A1:7A:15:53:C6:90:F9:FB:CC

VeriSign

Individual Software Publishers

Secure email, code signing

2004-01-07 23:59:59

71:1F:0E:21:E7:AA:EA:32:3A:66:23:D3:AB:50:D6:69

10.3.4 See Also

  • Root Report from the PKI Laboratory: http://www.pkiclue.com/

  • Recipe 10.4, Recipe 10.5, Recipe 10.6, Recipe 10.7