How to have multiple CAs certify a single certificate

Question

You know, Just is case one of the CA's is not trusted by the client... This old image below and this answer suggest the possibility. I have Microsoft Server CA and OpenSSL it still feels impossible.

This is NOT a duplicate that said existing question but it builds on it's recent answer which ruled that it is now possible... In this question i am seeking help on how to... Why do you keep thinking its a duplicate?

Answer 1

Is it possible to have multiple CAs certify a single certificate?

It depends, but mostly NO. It depends on the PKI being used. There are two widespread PKIs used, and neither of them allow it.

The first widespread PKI is under CA/Browser Baseline Requirements. The CA/B BR documents what browsers are doing. The second one is the IETF's PKIX. Its what user agents like curl and wget follow.

The CA/B and the IETF have slightly different rules. For a more in-depth discussion, see How do you sign Certificate Signing Request with your Certification Authority?

---

Now, there are two other options that could work for you, but they will require some work.

The first alternate option is to run your own PKI that does allow it. But browsers and other user agents won't know how to handle the certificates.

The second alternate option is to use an extension that includes the second authority's certification. Then, the primary authority, like a public CA, would sign the request with extension. Extensions are used usually used for policy (like conveying "extended validation" information), but it may work here.

---

Also see Is it possible to have a certificate signed by 2 authorities? on Super User.

Also see Certificate with Multiple Signers? on the PKIX mailing list. PKIX is the Internet's PKI as called out by the IETF.