What is Ask SSL Support Desk?
It is a summary of random questions that have one to the attention of Acmetek’s most awesome technical support reps. Answered and shared for the SSL Support Desk’s SSL Library which is designed to teach and educate the community.

Can I get an SSL Certificate that have CA= True or KeyUsage= CertSign?

Short Answer:
Not really.. and here is why.

The boolean reference of CA = True is used by applications to denote whether the certificate public key belongs to a CA (Certificate Authority). Technically all SSL Certificates (end entity) that are issued from a CA have this true attribute as they are chained from Intermediate CA and Root CA. You will not find this actual boolean attribute on a certificate. It is a coding attribute used by applications to check and see if a certificate is issued by a CA intermediate or root.

As for the  KeyUsage= CertSign or keyUsage= “Certificate Signing”. This is a key usage constraint that only belong to Root Certificates or Intermediate Certificates in the CA world. It means that the certificate has the capability of signing other certificates which you will not find on any end entity SSL certificate issued by a CA. If an admin had such a certificate with this attribute it would mean that they can sign their own certificates to who or whatever they choose.

So in short, Admins will never get an SSL Certificate that is publicly trusted from a CA with the KeyUsage = CertSign. The security liability of such a thing would destroy the internet.

The only option that a public CA will be willing to provide an organization that wants such a thing is is a product refereed to as “Private CA.” This option will not allow certificates issued from this Private CA to be trusted in public browsers or applications. So its pretty much useless. Admins might as well just use their own self signed CA. With a self created – self signed CA an admin can do whatever they want. This is the only way to get a certificate with the KeyUsage CerSign since it does not follow industry guidelines.

If you want to know more about what all the different details of a certificate mean view the below article.

What Do The Details of a Digital Certificate Mean?

Posted by:
Dominic Rafael
Senior Lead IT Engineer
Be sure to Subscribe!!

LoadingAdd to favorites

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.