+1 vote
I missed doing the 2nd exercise and was going through it today. Sorry for the late question.

"The root CA is allowed to issue intermediary certificate" is one of the right answers. How can we say so if "Certificate Authority : No" in the certificate's "Basic Constraints"?

I'm not sure if the solution is incorrect or if I've mistaken how to determine if a CA is allowed to issue certificates.

Thanks in advance for the response! :)
in Exercises by
edit history

1 Answer

+1 vote
Hi,

I believe you looked at the leaf certificate and have seen the basic constraints extension there, right?

To answer this question, you have to take a look at the root CA's certificate. In the root certificate, you will be able to see: "CA:TRUE" without a pathlen constraint given. This means that the root CA is allowed to issue intermediary certificates.

Additionally, if you take a look at the intermediate CA certificate, you can see CA:TRUE with pathlen set to 0. This means that this is a CA but it is not allowed to issue any further CA certificates.

I hope this makes sense and clarifies the answer. Let me know if you have any additional questions :)
by (1.7k points)
edited by
edit history