Join Log in
Score:0
JamesHoux avatar Server

Can a CA generate a signed certificate for a host in to a top-level domain not under the CA's control?

gb flag
JamesHoux

Background

I need to replace an existing certificate on a host named h1.vx.mydomain.net (not the real domain obviously).

The existing certificate says it was issued by a chain of CAs that I do not recognize. The CAs are clearly third-party CA organizations. The certificate was definitely not generated as a self-signed certificate. It also was not generated using an internal public key infrastructure.

What's puzzling to me is that the list of CAs in the certificate chain are not related to the Registrar for mydomain.net (it's registered with GoDaddy). I would have expected that the certificate chain would include GoDaddy as an Issuing CA or that one of the CAs in the chain would be a trusted intermediary CA under GoDaddy, but that doesn't seem to be the case.

This leaves me wondering what process to use to generate a replacement certificate for h1.vx.mydomain.net. I expected that I would need a GoDaddy certificate, but the old certificate makes me think GoDaddy was not used as the CA.

Main Question

Is it possible to have a "random" third-party CA generate a certificate using a CSR for a host in a domain not registered with the CA? If yes, is it going to have consequences?

I'm trying to make sense of a situation that seems foreign to me.

60
2 + 0
Score:2
joeqwerty avatar Server
cv flag
joeqwerty

Any CA can issue a certificate for any domain. You merely need to prove domain ownership when purchasing the certificate. Where your domain is registered is immaterial.

+ 0
Score:2
vidarlo avatar Server
ar flag
vidarlo

I would have expected that the certificate chain would include GoDaddy as an Issuing CA or that one of the CAs in the chain would be a trusted intermediary CA under GoDaddy, but that doesn't seem to be the case.

Why would you expect that?

There is no such requirement. Broadly speaking any CA can issue certificates for all domains, constrained by the rules set down by CA-Browser forum. If you wish to limit CA's allowed for your domains, you have to do so by using CAA records.

In short: the entire premise of your question is founded on a mistaken belief. Answering the rest doesn't make sense.

+ 7
JamesHoux avatar
gb flag
JamesHoux
If you consider that it would be normal for a person to work their entire career either using self-signed certificates, in-house CAs, or going directly to the registrar to get certs for a given domain, it would be normal for one to think that the certificate needs to come from someone with authority over the domain name. Indeed, being told this is a mistaken view is the answer I needed. Thank you. :)
0
Reply
vidarlo avatar
ar flag
vidarlo
The authority is *you*. CA's shall only issue to someone who can demonstrate control over the domain.
0
Reply
JamesHoux avatar
gb flag
JamesHoux
Ok.. so how do you prove to the CA that you have control over the domain? Furthermore, according to this article from 2017, CAs may not even honor the restriction you stated: https://thenewstack.io/heres-caa-dns-record-https-website/ "any one of them [CA's] can theoretically issue a valid SSL certificate for any website on the internet." If they mistakenly believe you have control over the domain when you really don't, or if they don't bother to check, they can generate a certificate for you. This kind of seems absurd in its design. CAA exists because the model is fundamentally flawed.
0
Reply
vidarlo avatar
ar flag
vidarlo
It varies, but for instance [Let's encrypt documents the automated challenges they use.](https://letsencrypt.org/docs/challenge-types/) LE has in general disrupted the CA market by automating issuance of certificates for free, and some competitors has embraced the ACME protocol used by LE as well. Other methods are possible as well, such as e-mail to people listed in whois, or phone calls.
0
Reply
JamesHoux avatar
gb flag
JamesHoux
Dude its only been 51 minutes since I posted. You need to chill. :P
0
Reply
vidarlo avatar
ar flag
vidarlo
@JamesHoux Didn't notice that you've been around for a while :) Too many new users that disappear after the first question without ever voting :)
0
Reply
joeqwerty avatar
cv flag
joeqwerty
@JamesHoux every CA I've ever purchased an SSL certificate from supports and uses self-service domain ownership verification methods. See here for what those are and how they work. - https://www.entrust.com/knowledgebase/ssl/domain-verification-methods
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.