sslsd-logo
sslsd-logo

ASK SSL Support Desk – Can I get an SSL Certificate that have CA= True or KeyUsage= CertSign?

What is Ask SSL Support Desk?
It is a summary of random questions that have one to the attention of Acmetek’s most awesome technical support reps. Answered and shared for the SSL Support Desk’s SSL Library which is designed to teach and educate the community.

TeacherQuestion:
Can I get an SSL Certificate that have CA= True or KeyUsage= CertSign?

Short Answer:
Not really.. and here is why.

The boolean reference of CA = True is used by applications to denote whether the certificate public key belongs to a CA (Certificate Authority). Technically all SSL Certificates (end entity) that are issued from a CA have this true attribute as they are chained from Intermediate CA and Root CA. You will not find this actual boolean attribute on a certificate. It is a coding attribute used by applications to check and see if a certificate is issued by a CA intermediate or root.

As for the  KeyUsage= CertSign or keyUsage= “Certificate Signing”. This is a key usage constraint that only belong to Root Certificates or Intermediate Certificates in the CA world. It means that the certificate has the capability of signing other certificates which you will not find on any end entity SSL certificate issued by a CA. If an admin had such a certificate with this attribute it would mean that they can sign their own certificates to who or whatever they choose.

So in short, Admins will never get an SSL Certificate that is publicly trusted from a CA with the KeyUsage = CertSign. The security liability of such a thing would destroy the internet.

The only option that a public CA will be willing to provide an organization that wants such a thing is is a product refereed to as “Private CA.” This option will not allow certificates issued from this Private CA to be trusted in public browsers or applications. So its pretty much useless. Admins might as well just use their own self signed CA. With a self created – self signed CA an admin can do whatever they want. This is the only way to get a certificate with the KeyUsage CerSign since it does not follow industry guidelines.

If you want to know more about what all the different details of a certificate mean view the below article.

What Do The Details of a Digital Certificate Mean?
https://www.sslsupportdesk.com/details-digital-certificate-mean/

Posted by:
Dominic Rafael
Senior Lead IT Engineer
Be sure to Subscribe!!

Recent Posts

S/MIME for Outlook O365 Windows

August 14, 2023

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

May 22, 2023

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

June 3, 2021

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »

Choose your SSL Plan

Basic Security Plan

Standard Security Plan

Enhanced Security Plan

Quick Support

About Us

CSR Generation Instructions

SSL Installation Instructions

SSL Glossary

SSL Brands

DigiCert SSL Certificates

GeoTrust SSL Certificates

Thawte SSL Certificates

RapidSSL Certificates

Sign up for Article Updates

Get latest updates related to PKI, SSL and Digital Security Delivered Directly to your inbox.

Facebook-f Linkedin-in Twitter
© 2024 Acmetek All Right Reserved. Legal Terms of Use | Privacy Policy