Difference between ca-bundle.crt and ca-bundle.trust.crt
On CentOS 6.5, in /etc/pki/tls/certs I have:
ca-bundle.crt
and
ca-bundle.trust.crt
With different file sizes. Which should I use as the trust path for nginx proxy_ssl_trusted_certificate.
Solution 1:
ca-bundle.trust.crt holds certs with "extended validation".
The difference between "normal" certs and certs with EV is that you EV certs need something like a personal or company validation by i.e. validating the identity of a person by his/her passport.
This means that if you want to get an EV cert you'll have to identify yourself to the cert issuer by i.e. your passport. If you "are" a company then an equivalent procedure (don't know it exactly) must happen. This is most essential for online banking: You must be sure that not only the server you connect to is certified but also the bank is certified.
Because of that the EV certs are more "complicated" and contain additional fields to "identify" not only the server but also the company.
To come back to your answer:
It depends on your usage. Most people should use ca-bundle.crt. If you "are" a bank or an online shop which needs very high level of certification and "trust" then you should use ca-bundle.trust.crt.
Solution 2:
After "exploding" the bundles using a little Perl script, then running diff --side-by-side on the certificate of the Government of Taiwan (as an example, taken only because it is the only certificate in the bundle without CN attribute in the Issuer and Subject lines) (uses SHA1 but that's okay) we see the difference:
- Certificate from the
ca-bundle.trust.crton the left - Certificate from the
ca-bundle.crton the right
-----BEGIN TRUSTED CERTIFICATE----- | -----BEGIN CERTIFICATE-----
MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFA MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFA
...
LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDM LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDM
pYYsfPQSMCMwFAYIKwYBBQUHAwQGCCsGAQUFBwMBDAtUYWl3YW4gR1JDQQ== | pYYsfPQS
-----END TRUSTED CERTIFICATE----- | -----END CERTIFICATE-----
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6 1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
Issuer: C = TW, O = Government Root Certification Aut Issuer: C = TW, O = Government Root Certification Aut
Validity Validity
Not Before: Dec 5 13:23:33 2002 GMT Not Before: Dec 5 13:23:33 2002 GMT
Not After : Dec 5 13:23:33 2032 GMT Not After : Dec 5 13:23:33 2032 GMT
Subject: C = TW, O = Government Root Certification Au Subject: C = TW, O = Government Root Certification Au
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit) RSA Public-Key: (4096 bit)
Modulus: Modulus:
00:9a:25:b8:ec:cc:a2:75:a8:7b:f7:ce:5b:59 00:9a:25:b8:ec:cc:a2:75:a8:7b:f7:ce:5b:59
... ...
95:7a:98:c1:91:3c:95:23:b2:0e:f4:79:b4:c9 95:7a:98:c1:91:3c:95:23:b2:0e:f4:79:b4:c9
c1:4a:21 c1:4a:21
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
CC:CC:EF:CC:29:60:A4:3B:B1:92:B6:3C:FA:32:62: CC:CC:EF:CC:29:60:A4:3B:B1:92:B6:3C:FA:32:62:
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:TRUE CA:TRUE
setCext-hashedRoot: setCext-hashedRoot:
0/0-...0...+......0...g*........"...(6....2.1 0/0-...0...+......0...g*........"...(6....2.1
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
40:80:4a:fa:26:c9:ce:5e:30:dd:4f:86:74:76:58:f5:ae:b 40:80:4a:fa:26:c9:ce:5e:30:dd:4f:86:74:76:58:f5:ae:b
... ...
e0:25:a5:86:2c:7c:f4:12 e0:25:a5:86:2c:7c:f4:12
Trusted Uses: <
E-mail Protection, TLS Web Server Authentication <
No Rejected Uses. <
Alias: Taiwan GRCA <