Categories:
Android (13)
Apple Mac (27)
DH Keys (39)
DSA Keys (71)
EC Keys (2148)
Firefox (30)
General (10)
Google Chrome (25)
Intermediate CA (152)
Java VM (29)
JDK Keytool (28)
Microsoft CertUtil (29)
Microsoft Edge (9)
Mozilla CertUtil (21)
OpenSSL (236)
Other (7)
Portecle (38)
Publishers (6110)
Revoked Certificates (16)
Root CA (85)
RSA Keys (4988)
Tools (46)
Tutorial (1)
What Is (22)
Windows (127)
Collections:
Other Resources:
Why www.facebook.com Has 2 Certificates
Why www.facebook.com has 2 certificates for their HTTPS Web site?
✍: FYIcenter.com
To understand why www.facebook.com has 2 certificates, let's use
the "keytool -printcert" command print out owners and issuers of those certificates:
C:\Users\fyicenter> keytool -printcert -file facebook.pem Certificate[1]: Owner: CN=www.facebook.com, O="Facebook, Inc.", L=Palo Alto, ST=California, C=US Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Serial number: 165f9ff89d0b31a887537cdef24fe04 Valid from: Wed Jun 20 20:00:00 EDT 2012 until: Tue Dec 31 18:59:59 EST 2013 Certificate fingerprints: MD5: 8E:74:0C:F8:E5:50:76:EC:04:F0:D9:C5:B7:AD:B4:3A SHA1: 9C:53:B1:A4:16:F9:58:79:1B:DA:D0:28:A9:FA:5D:65:4C:5F:81:52 SHA256: 51:96:D4:16:59:47:E8:FB:83:B6:E3:5B:CA:3B:1A:61:43:49:E4: 8A:48:D8:9A:23:17:60:A2:C4:40:25:28:BA Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.verisign.com ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://SVRIntl-crl.verisign.com/SVRIntl.crl] ]] #4: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve 0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa ]] ] ] #5: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] #6: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] #7: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: www.facebook.com DNSName: facebook.com ] Certificate[2]: Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Serial number: 46fcebbab4d02f0f926098233f93078f Valid from: Wed Apr 16 20:00:00 EDT 1997 until: Mon Oct 24 19:59:59 EDT 2016 Certificate fingerprints: MD5: AC:D8:0E:A2:7B:B7:2C:E7:00:DC:22:72:4A:5F:1E:92 SHA1: D5:59:A5:86:66:9B:08:F4:6A:30:A1:33:F8:A9:ED:3D:03:8E:2E:A8 SHA256: 00:BD:2B:0E:DD:83:40:B1:74:6C:C3:95:C0:E3:55:B2:16:58:53: FD:B9:3C:52:DA:DD:A8:22:8B:07:00:2D:CE Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:0 ] #2: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.verisign.com/pca3.crl] ]] #3: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.113733.1.7.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve 0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 50 53 risign.com/CPS ]] ] ] #4: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth 2.16.840.1.113730.4.1 2.16.840.1.113733.1.8.1 ] #5: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign Crl_Sign ] #6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA S/MIME CA ]
If you read the owner and issuer information of both certificates, you can see that:
Now we know why www.facebook.com provides 2 certificates. The first certificate is Facebook's own certificate, but it is not signed by a trusted root CA. It is signed by the second certificate owned by an intermediate CA, which is signed by a trusted root CA.
In other word, www.facebook.com provides its own certificate and the signer's certificate, which signed by a trusted root CA. www.facebook.com is doing this to show you it can be trusted indirectly through this certificate chain (or certificate path).
⇒ Split Certificate Chain File
⇐ "keytool -printcert" Command Examples - Download Certificate
2012-07-20, 9394👍, 0💬
Popular Posts:
Certificate Summary: Subject: signin.ebay.com Issuer: VeriSign Class 3 Extended Validation SSL CA Ex...
Certificate Summary: Subject: *.pornhub.com Issuer: DigiCert SHA2 High Assurance Server CA Expiratio...
Certificate summary - Owner: *.mediafire.com, "MediaFire, LLC", L=Shenandoah, ST=Texas, US Issuer: T...
What can I use OpenSSL "pkey" command for? What are options supported by the "pkey" command? OpenSSL...
Where is the user-level Java trusted keystore file on Windows? I know the system-level java trusted ...