Trusting CA Certificates by Thumbprint

Information Security Asked by houtanf on November 30, 2021

Id like to create an application which trusts certificates issued from specific CAs.

My ideas is to have a list of thumbprints for CA certificates I trust. Then whenever my app receives a certificate for authentication, it checks its cert chain and makes sure the thumbprint of its issuing certificate is found in my "trusted thumbprints list".

However, what happens when a CA certificate expires? Will the CA generate a new certificate with a different thumbprint, forcing me to update my list of trusted thumbprints whenever this occurs?

Would trusting CA certs based on public key make a difference, or will these be rotated as well?

How about trusting CA SAN? Can a malicious party create issuing certificates with the same SAN as one of my trusted CAs?

One Answer

First, a thumbprint (also called fingerprint) of a CA certificate is not sufficient to verify the trust chain. In order to validate the trust chain you need to have the public key of the CA which is contained in the CA certificate but not in the thumbprint. Still, you can have a collection of CA certificates and then define using the thumbprint which to trust and which not.

Whenever a certificate gets renewed the certificate fingerprint will change because the fingerprint is computed based on the full certificate, which includes the (changed) expiration. A public key fingerprint is more stable in this regard since a renewal might reuse the previous public key and in this case the public key fingerprint will not change. But while this is at least possible it is far from guaranteed. A CA might decide to use a different public key, for example because the previous one was considered too weak and not sufficiently future proof.

Answered by Steffen Ullrich on November 30, 2021

Add your own answers!

Related Questions

Jenkins malicious process identification

2  Asked on October 28, 2021 by nemanja-martinovic


Does encrypted content in a database need to be signed?

1  Asked on October 28, 2021 by ian-warburton


WhatsApp account got “hacked”/hijacked?

1  Asked on October 28, 2021 by d-a-vorm


iCloud deletion

1  Asked on October 28, 2021 by mp115


Difference between Zeek (Bro) and Snort 3

2  Asked on October 28, 2021 by ustavsaat


Help Understanding PHP Reverse Shells

1  Asked on October 28, 2021 by pdawg


Refresh token using a separate auth server?

0  Asked on October 28, 2021


Is the perfect MITM attack possible?

1  Asked on October 28, 2021 by user238715


What attack vectors does arbitrary JS on a user profile allow?

2  Asked on October 28, 2021 by sellarafaeli


Processing Exceptionally High Volume Singular Flows

1  Asked on March 9, 2021 by reedghost


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP