How to prove a Root Certificate – part 2

Another way to prove the authenticity of the Root Certificate is to publish it signed by a certificate issued by a previously trusted PKI. This can be useful in the case where a PKI is being established to replace a legacy system. 

I have previously used the Mozilla NSS tool CMSUTIL to sign a data file but this time I decided to write a program using the Microsoft CryptoAPI on Windows because that it less sensitive to expired certificates. NSS CMSUTIL will not validate the signature if the signing certificate has expired and that could be a problem in this case as we are using a certificate from a legact PKI to sign the Root Certificate of the replacement PKI.

Here is the CMS signed data blob containing the Root Certificate cmssigned.dat 

You can verify the signature and examine the signing certificate using this program cms-verify.cpp and for completeness here is the program that I used to sign it cms-sign.cpp   

Leave a Reply

You must be logged in to post a comment.