Complete the certificate chain with certificates from other sources

[The-Lum]

Question about Certificate Hierarchy

Hello all,

This is an [open] question:

• How is manage the Certificate Hierarchy fields/tree?
• Is kse provides automatically the Certificate Hierarchy of a [chain of] certificate?

For example, if I import a root cert and then a sub-ca cert on a personal CA Certificates KeyStore (on PKCS#12 format), I does not see all the Certificate Hierarchy when I made a Certificate Details for the sub-ca cert: I see only, on the tree, the sub-ca cert, not the root?

• Why? Idem with a cert and a sub-ca...

• There are some restriction?

Or other question:

• How to Append to Certificate Chain on a Trusted Certificate as it is possible on a Key Pair? But is not a solution, if it is necessary to add the same sub-ca key on each chain on all certs depending of this sub-ca key!

Regards.

---

Environment

• Version of KSE: 5.4.4
• Version of Java: openjdk version "11.0.8" 2020-07-14
• Platform (OS): Windows 10

[kaikramer]

That is how the Java KeyStore API works, see https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/KeyStore.html

[The-Lum]

Well, I understand the strong adherence to the Java Keystore, and the constraints of not altering it.

But as you have been able to do with Chain of Trust Checks can be enabled or disabled on the pref. panel...

• Are evolutions planned for the visualization of the certificate tree independently of the structure in the keystore?

For example, to show a tree going up the chain, as is done for viewing files .p7r...

We are indeed taken aback by seeing the following differences:

1. Example of a chain on a .p7r file:

2. Then after import of all the 2 cert _(of my_ca and of mykey), here is the view of the certificate of _mykey on kse:

_-> no tree, and not mention on the tree of the my_ca!_

Hoping that my questioning is clear.

[kaikramer]

I understand your question very well and I understand why this is confusing for you.

To make it clear why this is as it is, let me first quote two definitions from the link to the KeyStore documentation above:

KeyStore.PrivateKeyEntry

This type of entry holds a cryptographic PrivateKey, which is optionally stored in a protected format to prevent unauthorized access. It is also accompanied by a certificate chain for the corresponding public key.

KeyStore.TrustedCertificateEntry

This type of entry contains a single public key Certificate belonging to another party. It is called a trusted certificate because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the subject (owner) of the certificate.

In other words:

• PrivateKeyEntry = Private key plus certificate chain
• TrustedCertificateEntry = One single Certificate

The two golden keys are the icon for a PrivateKeyEntry in KSE, whereas the red "medal" is the icon for a TrustedCertificateEntry:

If you click on a TrustedCertificateEntry, KSE shows the content of this entry, which is exactly one certificate. Its issuer (my_ca) is in another TrustedCertificateEntry.

This makes total sense if you think about the purpose of trusted certificates. They are trust anchors. You don't need to add the whole chain in a truststore, the root certificate is enough.

Of course it would be possible for KSE to search the whole keystore for more certificates from the same chain and show them in the tree, but that would not match the real content of the TrustedCertificateEntry and it would confuse people even more.

[The-Lum]

Thank you very much, I better understand the constraints of the Java KeyStore. Sorry for inconvenience,

Then it is now a wanted feature...

Of course it would be possible for KSE to search the whole keystore for more certificates from the same chain and show them in the tree, but that would not match the real content of the TrustedCertificateEntry and it would confuse people even more.

With the proposal to have an Interpolated Certificate Hierarchy... :wink: _(But it may be hard to implement between looking in the whole KeyStore as well as in the CAKeyStore..., and also depending on focus, change the corresponding form...)

A proposal on the todo list... Regards.

[kaikramer]

Okay, fine 😃

[Mingun]

I faced with similar problem. I have a set of *.cer files with certificates, some of them a signing others. I want to understand the hierarchy. I treid to do that by creating a new key store (any type, I not even want to save it) and loading all *.cer files into it. Because certificates contains only public key, the only matched command is Import Trusted Certificate. I was hoping that kse will recognise certificates and show me a tree corresponding to certificate chains, but it didn't. Is it possible to implement such feature?

[jgrateron]

I faced with similar problem. I have a set of *.cer files with certificates, some of them a signing others. I want to understand the hierarchy. I treid to do that by creating a new key store (any type, I not even want to save it) and loading all *.cer files into it. Because certificates contains only public key, the only matched command is Import Trusted Certificate. I was hoping that kse will recognise certificates and show me a tree corresponding to certificate chains, but it didn't. Is it possible to implement such feature?

KSE does not support operations on .cer files, but you can build the inheritance by creating a text file and pasting the certificates in PEM format in the following order:

1. end user/server certificate
2. intermediate certificate
3. root CA

[Mingun]

If I knew the order, then I wouldn't need such a tool, right? In addition, I do not know at all whether they are connected or not, this is exactly what I am trying to find out and the tree view would be very helpful here. In order not to manually match issuer of one to the subject of another, but to entrust this boring work to the machine.

[jgrateron]

If I knew the order, then I wouldn't need such a tool, right? In addition, I do not know at all whether they are connected or not, this is exactly what I am trying to find out and the tree view would be very helpful here. In order not to manually match issuer of one to the subject of another, but to entrust this boring work to the machine.

well, you could add a menu option by right clicking on an entry and call it find chain, and it would use the certificates that are added to that store, the search would be initially by Authority Key Identifier and then verify that the signature using the public key of the candidate certificate and then repeat until you get to the root or no more certificates are found.

[kaikramer]

@Mingun Just try the suggestion of @jgrateron but without sorting anything. Put all the certificates in PEM format into one big file and then drag&drop it on the KSE window (or use "Examine File"). KSE will then automatically find and show any certificate chains:

[Mingun]

@kaikramer, thanks, that's covers my needs

[kaikramer]

I have updated the issue title in an attempt to reflect the result of the discussions