azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard
verified publisher icon MicrosoftDocs

"Self-signed" does not mean "self-issued"

Open oising opened this issue 2 years ago • 3 comments

A self-signed certificate is one that is it's own Root CA: it is it's own signatory; it is simultaneously a leaf and root, and there is no certificate chain. This article and others like it are sources of endless confusion for the inexperienced.

Please correct your use of "self-signed." You either create a self-signed certificate with no chain, or you create your own root CA and sign leaf certificates. In the latter, the Root CA is self-signed because this is how Root CA's work; commercial and in-house Root CA certs are self-signed. The leaf certificate is either self-signed (it is it's own Root CA) or it is signed by a commercial or private Root CA.

You are conflating self-signed (cert signs itself) and self-issued (I did it myself):

https://en.wikipedia.org/wiki/Self-signed_certificate#Name_Confusion

Deeper explanation of a self-signed certificate: https://revocent.com/resources/what-is-a-self-signed-certificate-and-how-does-it-work/

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

oising avatar Mar 22 '24 16:03 oising

Please see this thread as to why this is problematic:

https://github.com/MicrosoftDocs/azure-docs/issues/44425#issuecomment-564634256

oising avatar Mar 22 '24 16:03 oising

@oising Thanks for your feedback! We will investigate and update as appropriate.

Naveenommi-MSFT avatar Mar 22 '24 17:03 Naveenommi-MSFT

@Naveenommi-MSFT @ManoharLakkoju-MSFT

You are conflating self-signed (cert signs itself) and self-issued (I did it myself):

https://en.wikipedia.org/wiki/Self-signed_certificate#Name_Confusion

Deeper explanation of a self-signed certificate: https://revocent.com/resources/what-is-a-self-signed-certificate-and-how-does-it-work/

oising avatar Mar 22 '24 19:03 oising

@oising I'm going to assign this to the document author so they can take a look at it accordingly

@greg-lindsay Could you Please review this and update as appropriate.

ManoharLakkoju-MSFT avatar Mar 26 '24 03:03 ManoharLakkoju-MSFT

Hi @greg-lindsay

In short, when we self-issue a cert, we have two choices:

  1. create a root CA cert (which has no parent cert, so it must be self-signed) and use this to sign leaf nodes (i.e. used for SSL) - ergo the leaf node is self-issued, but not self-signed; it has been signed by the root CA cert.

or

  1. create a leaf node (self-issued) and use it to sign itself, ergo it is self-signed

Both cases are self-issued, but only case (2) has a self-signed leaf certificate.

This could be dismissed with a hand-wave as not that important until you realize that certain products in the Microsoft catalogue (e.g. AppGw backends) only function when case (1) is used. Case (2) is not supported and causes hard to diagnose issues.

oising avatar Mar 26 '24 14:03 oising

@oising we are looking at the terminology and will update as appropriate. Thanks for the feedback. I'm sorry this is taking a long time.

greg-lindsay avatar Apr 04 '24 22:04 greg-lindsay