PKI Certificate Tutorials - Herong's Tutorial Examples - v1.10, by Herong Yang
Intermedate CA Certificate Example
This section provides an intermediate CA certificate example and explanations of its data fileds.
After reviewing the root CA certicate from "Let's Encrypt" CA organization, let's look at their intermediate CA certificate named as "E1", and see if we can understand the differences between root and intermediate CA certificets.
Here is the "E1" certificate in PEM format.
-----BEGIN CERTIFICATE----- MIICxjCCAk2gAwIBAgIRALO93/inhFu86QOgQTWzSkUwCgYIKoZIzj0EAwMwTzEL MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjAwOTA0MDAwMDAwWhcN MjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j cnlwdDELMAkGA1UEAxMCRTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkXC2iKv0c S6Zdl3MnMayyoGli72XoprDwrEuf/xwLcA/TmC9N/A8AmzfwdAVXMpcuBe8qQyWj +240JxP2T35p0wKZXuskR5LBJJvmsSGPwSSB/GjMH2m6WPUZIvd0xhajggEIMIIB BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFFrz7Sv8NsI3eblSMOpUb89V yy6sMB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEB BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzAnBgNVHR8E IDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYG Z4EMAQIBMA0GCysGAQQBgt8TAQEBMAoGCCqGSM49BAMDA2cAMGQCMHt01VITjWH+ Dbo/AwCd89eYhNlXLr3pD5xcSAQh8suzYHKOl9YST8pE9kLJ03uGqQIwWrGxtO3q YJkgsTgDyj2gJrjubi1K9sZmHzOa25JK1fUpE8ZwYii6I4zPPS/Lgul/ -----END CERTIFICATE-----
Here are the data fields of the certificate printed out by the OpenSSL tool:
Data: Version: 3 (0x2) Serial Number: b3:bd:df:f8:a7:84:5b:bc:e9:03:a0:41:35:b3:4a:45 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X2 Validity Not Before: Sep 4 00:00:00 2020 GMT Not After : Sep 15 16:00:00 2025 GMT Subject: C=US, O=Let's Encrypt, CN=E1 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:24:5c:2d:a2:2a:fd:1c:4b:a6:5d:97:73:27:31: ac:b2:a0:69:62:ef:65:e8:a6:b0:f0:ac:4b:9f:ff: 1c:0b:70:0f:d3:98:2f:4d:fc:0f:00:9b:37:f0:74: 05:57:32:97:2e:05:ef:2a:43:25:a3:fb:6e:34:27: 13:f6:4f:7e:69:d3:02:99:5e:eb:24:47:92:c1:24: 9b:e6:b1:21:8f:c1:24:81:fc:68:cc:1f:69:ba:58: f5:19:22:f7:74:c6:16 ASN1 OID: secp384r1 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Subject Key Identifier: 5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC X509v3 Authority Key Identifier: keyid:7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95 Authority Information Access: CA Issuers - URI:http://x2.i.lencr.org/ X509v3 CRL Distribution Points: URI:http://x2.c.lencr.org/ X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 Signature Algorithm: ecdsa-with-SHA384 30:64:02:30:7b:74:d5:52:13:8d:61:fe:0d:ba:3f:03:00:9d: f3:d7:98:84:d9:57:2e:bd:e9:0f:9c:5c:48:04:21:f2:cb:b3: 60:72:8e:97:d6:12:4f:ca:44:f6:42:c9:d3:7b:86:a9:02:30: 5a:b1:b1:b4:ed:ea:60:99:20:b1:38:03:ca:3d:a0:26:b8:ee: 6e:2d:4a:f6:c6:66:1f:33:9a:db:92:4a:d5:f5:29:13:c6:70: 62:28:ba:23:8c:cf:3d:2f:cb:82:e9:7f
Comparing with the "ISRG Root X2" root CA certificate, I see the following differences in this intermedate CA certificate:
1.4. "Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X2" - It tells us who issued (or signed) this certificate: "ISRG Root X2" from Internet Security Research Group in US.
Note that the Issuer Name matches the Subject Name of the root CA certifcate reviewed in the previous tutorial. In other words, this certificate was signed by the "ISRG Root X2" root CA certificate.
1.5. Validity ... - It tells us that this certificate is valid for 5 years, between Sep 4, 2020 and Sep 15, 2025, which is much shorter than the root CA certificate.
1.6. "Subject: C=US, O=Let's Encrypt, CN=E1" - It tells us who owns this certificate: "E1" from Let's Encrypt in US.
1.10. "X509v3 extensions: ..." - Maps to the X.509 v3 Extensions container in the X.509 standard. It tells us that:
By looking at their contents, a root CA certificates differs from an intermedate CA certificates mainly in just 1 area:
Table of Contents
Introduction of PKI (Public Key Infrastructure)
►Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File