Root Certificate Subjects: Unique or Not?

TL;DR

Generally, yes. While technically not *required* by all systems, it’s strongly recommended that each root cyber security certificate has a unique subject (the ‘CN’ – Common Name and other identifying details). Using the same subject for multiple roots causes serious problems with trust management and can break things. Here’s how to understand why and what to do.

Understanding Root Certificates & Subjects

Root certificates are at the top of the chain of trust for digital certificates used on websites, in software signing, and more. The ‘subject’ identifies who issued the certificate – typically an organisation’s name or a Certificate Authority (CA). Think of it like a passport; each person needs their own unique passport.

Why Unique Subjects Matter

1. Trust Anchor Confusion: Operating systems and browsers store root certificates as ‘trust anchors’. If multiple roots share the same subject, software can get confused about which one to trust. This leads to validation errors or unexpected behaviour.
2. Revocation Issues: Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) are used to check if a certificate has been revoked. If roots share subjects, revoking *one* root might inadvertently affect the others.
3. Key Compromise Risk: If one root with a shared subject is compromised, all certificates issued by any of those roots using that same subject become suspect. This significantly expands the blast radius of an attack.
4. Software Compatibility: Some software explicitly checks for unique subjects and will refuse to trust multiple roots with identical information.

How to Check Root Certificate Subjects

You can inspect root certificates using various tools:

1. OpenSSL (Command Line): This is a powerful tool for examining certificate details.

   openssl x509 -in /path/to/root.crt -text -noout

   Look for the ‘Subject:’ field in the output. This will show you the CN and other attributes.

2. Browser: Most browsers allow you to view certificate details. In Chrome, click the padlock icon next to a website’s address, then ‘Connection is secure’, then ‘Certificate’. Navigate to the ‘Details’ tab.

3. Keytool (Java): If you are working with Java KeyStores:

   keytool -list -v -keystore /path/to/truststore.jks

   This will list all certificates in the truststore, including their subjects.

What to Do If You Have Duplicate Subjects

1. Generate New Roots: The best solution is to generate new root cyber security certificates with unique subjects for each CA. This is the most secure and reliable approach.
2. Re-issue Certificates (If Possible): If you control the issuing CAs, re-issue all certificates using the new, unique roots. This can be a large undertaking but avoids trust issues.
3. Avoid Shared Trust Stores: Where possible, use separate trust stores for different root CAs to minimise confusion.
4. Document Thoroughly: If you absolutely cannot avoid shared subjects (which is rare and not recommended), document the situation carefully and understand the risks involved.

Example Scenario

Let’s say you have two CAs, ‘CA1’ and ‘CA2’, both issuing certificates for your company. If they both use a root certificate with the subject ‘MyCompany Root CA’, this is problematic.

• Good: CA1 uses ‘MyCompany Root CA 1’; CA2 uses ‘MyCompany Root CA 2’.
• Bad: Both CA1 and CA2 use ‘MyCompany Root CA’.

Final Thoughts

While not a strict technical requirement in every case, using unique subjects for root cyber security certificates is a best practice that significantly improves trust management, reduces risk, and ensures compatibility. It’s worth the effort to ensure each root has its own distinct identity.