I understand some of this. I know a little bit about cryptography. For example, I know there’s a lot of collisions in the MD5 cryptographic hash function and this is why we shouldn’t be using MD5. I can understand why we shouldn’t be using SHA1. Even if it’s not “breakable” yet, Moore’s law seems to still hold true. What might take a million years to break now might take 47 days in 5 years from now. It’d make sense that some smart people might just collect SHA1 encrypted data and just hold on to it until the technology arrives that allow them to break that encryption.
So, I really want to wrap my head around all of this. I have an SSL certificate for my site. Let’s Encrypt Authority X3 signed the certificate but devices don’t really trust Let’s Encrypt Authority X3 at first…so Let’s Encrypt Authority X3 must find someone else to sign the certificate. From what I’ve been reading, right now, this is IdenTrust.
Let’s see if I have this right so far. An intermediate CA is just a CA we don’t trust yet. An intermediate CA will just point to either another intermediate CA or a root CA. Once it points to the root CA, there’s no more to point too, because that’s the first in the chain. Eventually, everything will point to a root CA and if it’s not trusted, then we get an error on the device…right? For Let’s Encrypt, the root CA is ISRG Root X1, right?
Self-signed certificates…will they be root CA’s that just aren’t trusted?
I’m looking at chain.pem and fullchain.pem. chain.pem just has one block of ascii characters. Is that the cryptographic hash? And that just shows who signed my certificate, right? Then there’s fullchain.pem and that has two blocks. One is the same as what’s in chain.pem, which makes sense, then the other one, that’d be IdenTrust or would that be ISRG Root X1.
Thanks.