Difference between ca-bundle.crt and ca-bundle.trust.crt

On CentOS 6.5, in /etc/pki/tls/certs I have:

ca-bundle.crt

and

ca-bundle.trust.crt

With different file sizes. Which should I use as the trust path for nginx proxy_ssl_trusted_certificate.


Solution 1:

ca-bundle.trust.crt holds certs with "extended validation".

The difference between "normal" certs and certs with EV is that you EV certs need something like a personal or company validation by i.e. validating the identity of a person by his/her passport.

This means that if you want to get an EV cert you'll have to identify yourself to the cert issuer by i.e. your passport. If you "are" a company then an equivalent procedure (don't know it exactly) must happen. This is most essential for online banking: You must be sure that not only the server you connect to is certified but also the bank is certified.

Because of that the EV certs are more "complicated" and contain additional fields to "identify" not only the server but also the company.

To come back to your answer:

It depends on your usage. Most people should use ca-bundle.crt. If you "are" a bank or an online shop which needs very high level of certification and "trust" then you should use ca-bundle.trust.crt.

Solution 2:

After "exploding" the bundles using a little Perl script, then running diff --side-by-side on the certificate of the Government of Taiwan (as an example, taken only because it is the only certificate in the bundle without CN attribute in the Issuer and Subject lines) (uses SHA1 but that's okay) we see the difference:

  • Certificate from the ca-bundle.trust.crt on the left
  • Certificate from the ca-bundle.crt on the right
-----BEGIN TRUSTED CERTIFICATE-----                           | -----BEGIN CERTIFICATE-----
MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFA   MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFA
...
LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDM   LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDM
pYYsfPQSMCMwFAYIKwYBBQUHAwQGCCsGAQUFBwMBDAtUYWl3YW4gR1JDQQ==  | pYYsfPQS
-----END TRUSTED CERTIFICATE-----                             | -----END CERTIFICATE-----
Certificate:                                                    Certificate:
    Data:                                                           Data:
        Version: 3 (0x2)                                                Version: 3 (0x2)
        Serial Number:                                                  Serial Number:
            1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6                 1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
        Signature Algorithm: sha1WithRSAEncryption                      Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = TW, O = Government Root Certification Aut           Issuer: C = TW, O = Government Root Certification Aut
        Validity                                                        Validity
            Not Before: Dec  5 13:23:33 2002 GMT                            Not Before: Dec  5 13:23:33 2002 GMT
            Not After : Dec  5 13:23:33 2032 GMT                            Not After : Dec  5 13:23:33 2032 GMT
        Subject: C = TW, O = Government Root Certification Au           Subject: C = TW, O = Government Root Certification Au
        Subject Public Key Info:                                        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption                             Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)                                      RSA Public-Key: (4096 bit)
                Modulus:                                                        Modulus:
                    00:9a:25:b8:ec:cc:a2:75:a8:7b:f7:ce:5b:59                       00:9a:25:b8:ec:cc:a2:75:a8:7b:f7:ce:5b:59
                    ...                                                             ...
                    95:7a:98:c1:91:3c:95:23:b2:0e:f4:79:b4:c9                       95:7a:98:c1:91:3c:95:23:b2:0e:f4:79:b4:c9
                    c1:4a:21                                                        c1:4a:21
                Exponent: 65537 (0x10001)                                       Exponent: 65537 (0x10001)
        X509v3 extensions:                                              X509v3 extensions:
            X509v3 Subject Key Identifier:                                  X509v3 Subject Key Identifier:
                CC:CC:EF:CC:29:60:A4:3B:B1:92:B6:3C:FA:32:62:                   CC:CC:EF:CC:29:60:A4:3B:B1:92:B6:3C:FA:32:62:
            X509v3 Basic Constraints:                                       X509v3 Basic Constraints:
                CA:TRUE                                                         CA:TRUE
            setCext-hashedRoot:                                             setCext-hashedRoot:
                0/0-...0...+......0...g*........"...(6....2.1                   0/0-...0...+......0...g*........"...(6....2.1
    Signature Algorithm: sha1WithRSAEncryption                      Signature Algorithm: sha1WithRSAEncryption
         40:80:4a:fa:26:c9:ce:5e:30:dd:4f:86:74:76:58:f5:ae:b            40:80:4a:fa:26:c9:ce:5e:30:dd:4f:86:74:76:58:f5:ae:b
         ...                                                             ...
         e0:25:a5:86:2c:7c:f4:12                                         e0:25:a5:86:2c:7c:f4:12
Trusted Uses:                                                 <
  E-mail Protection, TLS Web Server Authentication            <
No Rejected Uses.                                             <
Alias: Taiwan GRCA                                            <