2

I know that a certificate that's been signed by a CA contains identifiers for both the subject and the issuer's public keys:

$ openssl x509 -in cert.pem -text X509v3 Subject Key Identifier: EC:27: ... X509v3 Authority Key Identifier: keyid:AF:08: ...

I can extract the public key of the subject:

$ openssl x509 -in cert.pem -pubkey -----BEGIN PUBLIC KEY----- T5l... -----END PUBLIC KEY-----

Is it possible to extract the full public key of the issuer? Is a special type of certificate required to do this?

If the .pem file doesn't contain the issuer's public key, then how does validation work - is the identifier sufficient to check that a certificate has been signed by the identifier's corresponding public key?

Improve this question

1 Answer 1

Reset to default
1

The issuers public key is not part of a certificate. Only the public key of the subject itself is contained in the certificate. The issuers public key is contained in the issuers certificate (CA certificate) which need to be known by the one validating the subjects certificate.

See SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? for more information.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.