4

To explain the situation a bit:

I'm building an iOS application that uses SSL pinning. I've created a self-signed certificate authority that issues SSL certificates to my web server, and the CA's certificate is bundled with the application for verification. I'd like to use letsencrypt to create the SSL certificates for the web server so that they are trusted implicitly by web browsers, but their certificates wouldn't be signed by my CA so this wouldn't work in the application. (It's worth noting that certificates issued by letsencrypt are very short lived, so they can't be used directly for SSL pinning).

So I'd like to generate a certificate using letsencrypt and then cross-sign it with my CA. Is this possible?

Ell Neal
  • 141

2 Answers2

4

A certificate can only contain a single signature. But, since you are using SSL pinning anyway there is no need to have your own CA, because inside your iOS app you simply check the public key fingerprint. As long as you use the same key pair when renewing the certificate with letsencrypt the public key fingerprint fully identifies the certificate also after renewing.

Steffen Ullrich
  • 6,047
3

Is it possible to have a certificate signed by 2 authorities?

No. There's only room for one issuer, one authority key identifier, etc.

Also see Certificate with Multiple Signers? on the PKIX mailing list. PKIX is the Internet's PKI as called out by the IETF. Other PKIs may be different.

If you encounter another PKI that allows it, then it likely won't work/interop with browsers and other user agents like curl, wget, etc. They simply won't know how to handle the certificate.

jww
  • 12,722