lznt
Reputation: 2576
java - can a certificate be verified with root CA or grand-parent CA without parent CA
I am trying to do this in Java but I think it is a general certificate question. I have a root CA, an intermediate CA1 issued by root CA, an intermediate CA2 issued by intermediate CA1, and a certificate issued by the intermediate CA2.
rootCA -> interCA1 -> interCA2 -> cert
Is it possible to verify cert with interCA1, without knowing interCA2?
cert.verify(interCA2.getPublicKey()); // ok
interCA2.verify(interCA1.getPublicKey()); // ok
cert.verify(interCA1.getPublicKey()); // NOT ok -> is there any way to fix or bypass this?
Upvotes: 0
Views: 102
Answers (1)
pedrofb
Reputation: 39241
You can not do this because interCA1 is not the issuer of cert.
cert.verify(interCA1.getPublicKey());
A certificate is signed with the private key of the issuing certificate, so you need its public key to verify the signature. Therefore, to verify cert it is needed the complete certification chain.
Upvotes: 1
Related Questions
- Load CA root certificate at runtime in Java
- SSL Certificate Verification in Java
- Correct way to import root and intermediate certificates in Java cacerts
- Java and SSL certificates
- Android does not accept root CA certificate
- Is it necessary to add the root certificates to Java Keystore?
- How to trust a certificate authority in Java?
- Certificate chain validation
- How to get sub-root certificates in the certificate?
- Intermediate CA certificate in Java keystore