I have an X509 certificate obtained using something like this:
block, additionalData := pem.Decode([]byte(str))
cert, err := x509.ParseCertificate(block.Bytes)
I'd like to check if the certificate is a root certificate. I've tried checking IsCA
, but this appears to be true for intermediate certificates too. I've also tried something like this:
if cert.KeyUsage & x509.KeyUsageCertSign { //.....
But this is also true for intermediates, since they are permitted to sign the leaf certs.
Should I be doing something else? Perhaps comparing RawSubject
and RawIssuer
byte for byte and expecting identical contents (won't this false positive for self-signed leaves)?