Search code examples
ldapcajks

Why do I need to pin the RootCA Certificate in my truststore, when I am manually able to track down the chain using URL in AIA attribute?


I am configuring TLS for a tool, which contains a webserver component. This tool provides a Web-UI, which I can access vie HTTPS. Additionally it uses LDAPS for User Authentication (in a second step/internally).

I have imported a new Client/Server certificate (EndPointCert) in the truststore (cacerts) of this tool and the corresponding private key in its keystore. This EndPointCert is signed by an intermediateCA.

Now, if I have not pinned/imported the RootCA certificate of our company in the truststore of this tool, the LDAPS fails. However, SSL/TLS connection to the webserver part works fine. If I include the RootCA certificate also LDAPS authentication works.

In the AIA attribute of the EndPointCert the url to a intermediateCA cert is included. If I chase this down, I can download the intermediateCA cert and then with using this AIA field I can download a RootCA certificate. I am using jks.

Is there any general rule that I have to include the RootCA cert in truststores? Or is this just a "speciality" or feature (=bug) of this tool.

Thank you!


Solution

  • It is pretty common that the trust store is for CA certificates only, hence the name "cacerts". This means leaf certificates like server and client certificates which are not a CA certificate (basic constraints CA:true in the certificate properties) will be ignored. That's at least the behavior with OpenSSL.

    It is also pretty common that it is expected that the trust chain can be created up to a locally trusted root certificate. Such root is self-signed, i.e. the signature is by the root CA certificate itself. This is also the default behavior with OpenSSL. If intermediate CA certificates or leaf certificates should be accepted as final trust anchor then the X509_V_FLAG_PARTIAL_CHAIN option need to be set.

    As for "track down the chain using URL in AIA attribute" - the trust anchor must be actually trusted. Loading something from somewhere on the internet (i.a. following AIA) does not make it trusted, but having it pre-installed in the local trust store does. AIA can be used to track down missing intermediate certificates which are needed to build a path to a local root CA, but it must still end in an explicitly trusted CA.