self-signed certificate issue

Question

I am doing self-signing certificate in my test environment. Here is more details about what I am doing.

http://www.hanselman.com/blog/SigningPowerShellScripts.aspx

My brief steps are (the purpose is to establish trust connection between computer C and computer A based on certificate),

1. Making computer A a root CA by using makecert.exe;
2. Self sign a certificate B which is issued by computer A as root CA;
3. Install certificate B on computer A as certificate used to do communication;
4. Install/trust root CA (compter A) into computer C;
5. Then computer C will trust computer A's communication using certificate B.

My confusion is, computer C trusts computer A without installing certificate B? I think both root CA's certificate and the other party's certificate are needed to be installed. Any comments or ideas?

thanks in advance, George

Answer 1

Computer A doesn't actually become a "root CA". You need to create a root certificate, and then install it on the target computer.

It's not quite as simple as installing the root certificate on the target computer as different applications may use different certificate stores. For example, you need to install root certificates into both Firefox and Explorer.

You can then create "child" certificates - signed by the root certificate - and the target system will accept the child certificate as valid, because it has been signed by the trusted root certificate.

A certificate is just a way of validating someone's public key. The certificate contains both your public key in plain text, and your public key encrypted by the private key of the signer. To validate the public key published in the certificate, you decrypt the encrypted version of the public key - using the public key of the signer - and check that it's the same as the plain text version of the public key.

In a self-signed certificate, you encrypt your public key with your private key. So a self signed certificate is also a root certificate because there is no higher signing authority in the chain.

Intermediate certificates can also be used to sign other certificates. In this way certificates can be used to build a "chain of trust" back to some (at least theoretically) trusted root certificate.

Bruce Schneier has a reasonable description of this in his book "Applied Cryptography". And Peter Gutman has a more colourful description of certificates at this linky:

http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf

Answer 2

You have step 2 incorrect, semantically at least. If you are generating a certificate signed by a CA then it is not self signed at all, it's signed by the CA.

So on machine C you only need to put your generated CA certificate in the trusted CA store. By doing this you are saying you trust anything it has signed, in your case certificate B.

However you say you're using this for communication - be aware that if you use something like WCF which will check for revocation you will need to turn this off as your generated CA won't support this.

Answer 3

Computer C must trust the root CA (on Computer A). Then, any certificates presented from another computer (say, Computer D) issued by the same root CA will be automatically trusted.

For instance, in Windows, you (by default) already have and trust the root CA certificate for Verisign. When you navigate to an HTTPS site that uses a Verisign certificate, you will automatically trust it - since you trust Verisign, and Verisign issued the cert to the HTTPS site.

IOW - you only need to trust the CA and install it's cert.