Why www.facebook.com Has 2 Certificates

Q

Why www.facebook.com has 2 certificates for their HTTPS Web site?

✍: FYIcenter.com

A

To understand why www.facebook.com has 2 certificates, let's use the "keytool -printcert" command print out owners and issuers of those certificates: 

C:\Users\fyicenter>"\Program Files\java\jre7\bin\keytool" -printcert
-file facebook.pem

Certificate[1]:
Owner: CN=www.facebook.com, O="Facebook, Inc.", L=Palo Alto,
   ST=California, C=US
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
   VeriSign, OU=VeriSign International Server CA - Class 3,
   OU="VeriSign, Inc.", O=VeriSign Trust Network
Serial number: 165f9ff89d0b31a887537cdef24fe04
Valid from: Wed Jun 20 20:00:00 EDT 2012 until: Tue Dec 31 18:59:59 EST 2013
Certificate fingerprints:
      MD5:  8E:74:0C:F8:E5:50:76:EC:04:F0:D9:C5:B7:AD:B4:3A
      SHA1: 9C:53:B1:A4:16:F9:58:79:1B:DA:D0:28:A9:FA:5D:65:4C:5F:81:52
      SHA256: 51:96:D4:16:59:47:E8:FB:83:B6:E3:5B:CA:3B:1A:61:43:49:E4:
         8A:48:D8:9A:23:17:60:A2:C4:40:25:28:BA
      Signature algorithm name: SHA1withRSA
      Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.verisign.com
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://SVRIntl-crl.verisign.com/SVRIntl.crl]
]]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier:
  0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
  0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 72 70 61        risign.com/rpa

]]  ]
]

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: www.facebook.com
  DNSName: facebook.com
]


Certificate[2]:
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
   OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.",
   O=VeriSign Trust Network
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
   Inc.", C=US
Serial number: 46fcebbab4d02f0f926098233f93078f
Valid from: Wed Apr 16 20:00:00 EDT 1997 until: Mon Oct 24 19:59:59 EDT 2016
Certificate fingerprints:
      MD5:  AC:D8:0E:A2:7B:B7:2C:E7:00:DC:22:72:4A:5F:1E:92
      SHA1: D5:59:A5:86:66:9B:08:F4:6A:30:A1:33:F8:A9:ED:3D:03:8E:2E:A8
      SHA256: 00:BD:2B:0E:DD:83:40:B1:74:6C:C3:95:C0:E3:55:B2:16:58:53:
              FD:B9:3C:52:DA:DD:A8:22:8B:07:00:2D:CE
      Signature algorithm name: SHA1withRSA
      Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:0
]

#2: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.verisign.com/pca3.crl]
]]

#3: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier:
  0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
  0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 43 50 53        risign.com/CPS

]]  ]
]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
  2.16.840.1.113730.4.1
  2.16.840.1.113733.1.8.1
]

#5: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
]

If you read the owner and issuer information of both certificates, you can see that:

  • The first certificate is owned by www.facebook.com and signed by "VeriSign International Server CA - Class 3".
  • The second certificate is owned by "VeriSign International Server CA - Class 3" and signed by "Class 3 Public Primary Certification Authority," of "VeriSign, Inc.".

Now we know why www.facebook.com provides 2 certificates. The first certificate is Facebook's own certificate, but it is not signed by a trusted root CA. It is signed by the second certificate owned by an intermediate CA, which is signed by a trusted root CA.

In other word, www.facebook.com provides its own certificate and the signer's certificate, which signed by a trusted root CA. www.facebook.com is doing this to show you it can be trusted indirectly through this certificate chain (or certificate path).

2012-07-20, 5692👍, 0💬

Firefox General Google Chrome IE (Internet Explorer) Intermediate CA Java VM JDK Keytool Microsoft CertUtil Mozilla CertUtil OpenSSL Other Portecle Public Private Key Publishers Revoked Certificates Root CA Tools Tutorial What Is Windows