When I make a new Certificate Authority with Google, why does it publish CA certificates over HTTP?

Question

Here's what I've done:

1. Create a new Certificate Authority with Google Cloud
2. Create certificate
3. View the certificate in Cloud Console
4. Under Extensions I can download the cert and the CA cert

Both of those links use http:// and now https:// which feels unsafe to me.

Why doesn't Google protect them with HTTPS URLs?

Answer 1

Because certificates are always signed, the use of HTTPS doesn't add anything to the publication of the certificate, and can sometimes prevent other services from using the certificate.

Page 104 of RFC 5280, which defines what an X.509 certificate should look like, answers this as follows:

CAs SHOULD NOT include URIs that specify https, ldaps, or similar schemes in extensions. CAs that include an https URI in one of these extensions MUST ensure that the server's certificate can be validated without using the information that is pointed to by the URI. Relying parties that choose to validate the server's certificate when obtaining information pointed to by an https URI in the cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess extensions MUST be prepared for the possibility that this will result in unbounded recursion.

It also helps prevent circular dependencies. If a client needs to establish a HTTPS connection in order to build a chain which itself could be used to verify a HTTPS connection, they could get into an infinite loop. HTTPS is also unnecessary here since, as I mentioned above, CA certs downloaded from that URL must be signed by another trusted CA, so its integrity is preserved.