cryptography Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...

and

computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

, a root certificate is a

public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a Key authentication, public key. The certificate includes the public key and informati ...

that identifies a root certificate authority (CA). Root certificates are self-signed (and it is possible for a certificate to have multiple trust paths, say if the certificate was issued by a root that was cross-signed) and form the basis of an X.509-based

public key infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to fac ...

(PKI). Either it has matched Authority Key Identifier with Subject Key Identifier, in some cases there is no Authority Key identifier, then Issuer string should match with Subject string (). For instance, the PKIs supporting

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protoc ...

for secure

web Web most often refers to: * Spider web, a silken structure created by the animal * World Wide Web or the Web, an Internet-based hypertext system Web, WEB, or the Web may also refer to: Computing * WEB, a literate programming system created by ...

browsing and electronic signature schemes depend on a set of root certificates. A certificate authority can issue multiple certificates in the form of a

tree structure A tree structure, tree diagram, or tree model is a way of representing the hierarchical nature of a structure in a graphical form. It is named a "tree structure" because the classic representation resembles a tree, although the chart is gen ...

. A root certificate is the top-most certificate of the tree, the private key which is used to "sign" other certificates. All certificates signed by the root certificate, with the "CA" field set to true, inherit the trustworthiness of the root certificate—a signature by a root certificate is somewhat analogous to "notarizing" identity in the physical world. Such a certificate is called an intermediate certificate or subordinate CA certificate. Certificates further down the tree also depend on the trustworthiness of the intermediates. The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the best-known root certificates are distributed in operating systems by their manufacturers.

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

distributes root certificates belonging to members of the Microsoft Root Certificate Program to

Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

desktops and Windows Phone 8. Apple distributes root certificates belonging to members of its own root program.

Incidents of root certificate misuse

DigiNotar hack of 2011

In 2011, the Dutch certificate authority DigiNotar suffered a security breach. This led to the issuing of various fraudulent certificates, which was among others abused to target Iranian Gmail users. The trust in DigiNotar certificates was retracted and the operational management of the company was taken over by the Dutch government.

China Internet Network Information Center (CNNIC) issuance of fake certificates

Firefox 89 AboutCertificate RootCA screenshot

In 2009, an employee of the China Internet Network Information Center (CNNIC) applied to

Mozilla Mozilla is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, publishes and supports Mozilla products, thereby promoting free software and open standards. The community is supported institution ...

to add CNNIC to Mozilla's root certificate list and was approved. Later,

also added CNNIC to the root certificate list of

. In 2015, many users chose not to trust the digital certificates issued by CNNIC because an intermediate CA issued by CNNIC was found to have issued fake certificates for Google domain names and raised concerns about CNNIC's abuse of certificate issuing power. On April 2, 2015,

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

announced that it no longer recognized the electronic certificate issued by CNNIC. On April 4, following Google, Mozilla also announced that it no longer recognized the electronic certificate issued by CNNIC.

WoSign and StartCom: Issuing fake and backdated certificates

In 2016, WoSign,

China China, officially the People's Republic of China (PRC), is a country in East Asia. With population of China, a population exceeding 1.4 billion, it is the list of countries by population (United Nations), second-most populous country after ...

's largest CA certificate issuer owned by Qihoo 360 and its Israeli subsidiary StartCom, were denied recognition of their certificates by

removed the relevant certificates in 2017. WoSign and StartCom issued hundreds of certificates with the same serial number in just five days, as well as issuing backdated certificates. In 2016, a system administrator in Florida was able to get WoSign and StartCom to issue fake certificates for multiple

GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...

domains.

References

{{SSL/TLS Public key infrastructure Transport Layer Security

Incidents of root certificate misuse

DigiNotar hack of 2011

China Internet Network Information Center (CNNIC) issuance of fake certificates

WoSign and StartCom: Issuing fake and backdated certificates

See also

References