Collections:
Other Resources:
Why www.facebook.com Has 2 Certificates
Why www.facebook.com has 2 certificates for their HTTPS Web site?
✍: FYIcenter.com
To understand why www.facebook.com has 2 certificates, let's use the "keytool -printcert" command print out owners and issuers of those certificates:
C:\Users\fyicenter> keytool -printcert -file facebook.pem Certificate[1]: Owner: CN=www.facebook.com, O="Facebook, Inc.", L=Palo Alto, ST=California, C=US Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Serial number: 165f9ff89d0b31a887537cdef24fe04 Valid from: Wed Jun 20 20:00:00 EDT 2012 until: Tue Dec 31 18:59:59 EST 2013 Certificate fingerprints: MD5: 8E:74:0C:F8:E5:50:76:EC:04:F0:D9:C5:B7:AD:B4:3A SHA1: 9C:53:B1:A4:16:F9:58:79:1B:DA:D0:28:A9:FA:5D:65:4C:5F:81:52 SHA256: 51:96:D4:16:59:47:E8:FB:83:B6:E3:5B:CA:3B:1A:61:43:49:E4: 8A:48:D8:9A:23:17:60:A2:C4:40:25:28:BA Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.verisign.com ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://SVRIntl-crl.verisign.com/SVRIntl.crl] ]] #4: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve 0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa ]] ] ] #5: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] #6: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] #7: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: www.facebook.com DNSName: facebook.com ] Certificate[2]: Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Serial number: 46fcebbab4d02f0f926098233f93078f Valid from: Wed Apr 16 20:00:00 EDT 1997 until: Mon Oct 24 19:59:59 EDT 2016 Certificate fingerprints: MD5: AC:D8:0E:A2:7B:B7:2C:E7:00:DC:22:72:4A:5F:1E:92 SHA1: D5:59:A5:86:66:9B:08:F4:6A:30:A1:33:F8:A9:ED:3D:03:8E:2E:A8 SHA256: 00:BD:2B:0E:DD:83:40:B1:74:6C:C3:95:C0:E3:55:B2:16:58:53: FD:B9:3C:52:DA:DD:A8:22:8B:07:00:2D:CE Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:0 ] #2: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.verisign.com/pca3.crl] ]] #3: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.113733.1.7.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve 0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 50 53 risign.com/CPS ]] ] ] #4: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth 2.16.840.1.113730.4.1 2.16.840.1.113733.1.8.1 ] #5: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign Crl_Sign ] #6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA S/MIME CA ]
If you read the owner and issuer information of both certificates, you can see that:
Now we know why www.facebook.com provides 2 certificates. The first certificate is Facebook's own certificate, but it is not signed by a trusted root CA. It is signed by the second certificate owned by an intermediate CA, which is signed by a trusted root CA.
In other word, www.facebook.com provides its own certificate and the signer's certificate, which signed by a trusted root CA. www.facebook.com is doing this to show you it can be trusted indirectly through this certificate chain (or certificate path).
⇒ Split Certificate Chain File
⇐ "keytool -printcert" Command Examples - Download Certificate
2012-07-20, 9922🔥, 0💬
Popular Posts:
Certificate summary - Owner: *.typepad.com, Domain Control Validated - RapidSSL(R), See www.rapidssl...
Certificate summary - Owner: www.capitalone.com, IPS eCommerce, Capital One Financial, L=Glen Allen,...
How to import a certificates to a system certificate store using "certmgr.exe" tool? You can import ...
Certificate summary - Owner: *.b.ssl.fastly.net, "Fastly, Inc.", L=San Francisco, ST=California, US ...