Categories:
DH Keys (39)
DSA Keys (72)
EC Keys (333)
Firefox (32)
General (13)
Google Chrome (25)
Intermediate CA (152)
Java VM (20)
JDK Keytool (25)
Microsoft CertUtil (26)
Mozilla CertUtil (18)
OpenSSL (237)
Other (17)
Portecle (38)
Publishers (1862)
Revoked Certificates (30)
Root CA (87)
RSA Keys (2173)
Tools (47)
Tutorial (7)
What Is (21)
Windows (129)
Collections:
Other Resources:
Why www.facebook.com Has 2 Certificates
Why www.facebook.com has 2 certificates for their HTTPS Web site?
✍: FYIcenter.com
To understand why www.facebook.com has 2 certificates, let's use the "keytool -printcert" command print out owners and issuers of those certificates:
C:\Users\fyicenter>"\Program Files\java\jre7\bin\keytool" -printcert -file facebook.pem Certificate[1]: Owner: CN=www.facebook.com, O="Facebook, Inc.", L=Palo Alto, ST=California, C=US Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Serial number: 165f9ff89d0b31a887537cdef24fe04 Valid from: Wed Jun 20 20:00:00 EDT 2012 until: Tue Dec 31 18:59:59 EST 2013 Certificate fingerprints: MD5: 8E:74:0C:F8:E5:50:76:EC:04:F0:D9:C5:B7:AD:B4:3A SHA1: 9C:53:B1:A4:16:F9:58:79:1B:DA:D0:28:A9:FA:5D:65:4C:5F:81:52 SHA256: 51:96:D4:16:59:47:E8:FB:83:B6:E3:5B:CA:3B:1A:61:43:49:E4: 8A:48:D8:9A:23:17:60:A2:C4:40:25:28:BA Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.verisign.com ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://SVRIntl-crl.verisign.com/SVRIntl.crl] ]] #4: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve 0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa ]] ] ] #5: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] #6: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] #7: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: www.facebook.com DNSName: facebook.com ] Certificate[2]: Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Serial number: 46fcebbab4d02f0f926098233f93078f Valid from: Wed Apr 16 20:00:00 EDT 1997 until: Mon Oct 24 19:59:59 EDT 2016 Certificate fingerprints: MD5: AC:D8:0E:A2:7B:B7:2C:E7:00:DC:22:72:4A:5F:1E:92 SHA1: D5:59:A5:86:66:9B:08:F4:6A:30:A1:33:F8:A9:ED:3D:03:8E:2E:A8 SHA256: 00:BD:2B:0E:DD:83:40:B1:74:6C:C3:95:C0:E3:55:B2:16:58:53: FD:B9:3C:52:DA:DD:A8:22:8B:07:00:2D:CE Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:0 ] #2: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.verisign.com/pca3.crl] ]] #3: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.113733.1.7.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve 0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 50 53 risign.com/CPS ]] ] ] #4: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth 2.16.840.1.113730.4.1 2.16.840.1.113733.1.8.1 ] #5: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign Crl_Sign ] #6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA S/MIME CA ]
If you read the owner and issuer information of both certificates, you can see that:
Now we know why www.facebook.com provides 2 certificates. The first certificate is Facebook's own certificate, but it is not signed by a trusted root CA. It is signed by the second certificate owned by an intermediate CA, which is signed by a trusted root CA.
In other word, www.facebook.com provides its own certificate and the signer's certificate, which signed by a trusted root CA. www.facebook.com is doing this to show you it can be trusted indirectly through this certificate chain (or certificate path).
2012-07-20, 8221👍, 0💬
Popular Posts:
Certificate Summary: Subject: www.mediafire.com Issuer: VeriSign Class 3 Extended Validation SSL SGC...
Hi to all! Please help somebody I have certificate signed by CA(it should root for me), also generat...
How to install "JCE (Java Cryptography Extension) Unlimited Strength Jurisdiction Policy Files"? I w...
How to read information on the General tab of View Page Info in Firefox? What is the meaning of "Hig...
How to create a new certificate to be used by some Web site for server authentication to support HTT...