Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Would you explain what you mean by "cross chain to another root"?


So, just because I'm more familiar with DigiCert, and it's more clear with specific names.

Let's say you had a certificate for CN=example.org, issued by DigiCert ECC Secure Server CA, the certificate of which is itself is issued by DigiCert Global Root CA

Most clients have that CA in their chain, so you can send the example.org cert, and the DigiCert ECC Secure Server CA cert, and have very good compatibility. DigiCert Global Root CA was created November 2006, and maybe your client has a CA bundle from before then, or anyway doesn't have that CA. Not to worry, DigiCert has a cross signed copy of DigiCert GLobal Root CA, issued by Baltimore CyberTrust Root. Baltimore CyberTrust Root was created in May 2000, and most people like them.

So, to support that small fraction of users which have Baltimore CyberTrust Root and not Digicert Global Root CA, you can send

CN=example.org, the normal DigiCert ECC Secure Server CA, and the cross signed Digicert Global Root CA, issued by Baltimore CyberTrust Root.

Now, DigiCert happens to own the CA key for Baltimore CyberTrust Root, so they also can issue certs from a new intermediate they generated signed by it, but they were using their cross-signed Root as an option for compatibility with legacy clients before they purchased the CA. Sending the three certs should also work for well behaved clients that have the DigiCert Global Root CA, but not Baltimore CyberTrust Root; although not all clients will properly validate when they trust a CA in the chain, but not the last CA in the chain.

I'm not affiliated with DigiCert, I was worked for a customer, and was in charge of selecting the CA while we supported a lot of ancient phones, each with their own mess of CA bundles, very few of which were documented. :(

DigiCert helpfully links their cross signed certs here https://www.digicert.com/digicert-root-certificates.htm#cros...


Great explanation, thank you!


If you set up a new CA, you're not immediately in browser roots until you can prove you're running your CA in a responsible fashion. It's usually easier to pay an existing CA to sign your root cert as if it was one of their own intermediates, and follow their rules to get established before tackling getting approval in browsers. Even after you're approved, you need to wait for users to upgrade to new browsers/OSes/devices (depending on use case) to have your cert included in their trust store.

This even applies if you are the browser vendors, Lets Encrypt was cross signed for the first year or so of its existence.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: