Not really.. and here is why.
The boolean reference of CA = True is used by applications to denote whether the certificate public key belongs to a CA (Certificate Authority). Technically all SSL Certificates (end entity) that are issued from a CA have this true attribute as they are chained from Intermediate CA and Root CA. You will not find this actual boolean attribute on a certificate. It is a coding attribute used by applications to check and see if a certificate is issued by a CA intermediate or root.
As for the KeyUsage= CertSign or keyUsage= “Certificate Signing”. This is a key usage constraint that only belong to Root Certificates or Intermediate Certificates in the CA world. It means that the certificate has the capability of signing other certificates which you will not find on any end entity SSL certificate issued by a CA. If an admin had such a certificate with this attribute it would mean that they can sign their own certificates to who or whatever they choose.
So in short, Admins will never get an SSL Certificate that is publicly trusted from a CA with the KeyUsage = CertSign. The security liability of such a thing would destroy the internet.
The only option that a public CA will be willing to provide an organization that wants such a thing is is a product refereed to as “Private CA.” This option will not allow certificates issued from this Private CA to be trusted in public browsers or applications. So its pretty much useless. Admins might as well just use their own self signed CA. With a self created – self signed CA an admin can do whatever they want. This is the only way to get a certificate with the KeyUsage CerSign since it does not follow industry guidelines.
If you want to know more about what all the different details of a certificate mean view the below article.
What Do The Details of a Digital Certificate Mean?
Add to favorites