On Thu, Mar 10, 2016 at 10:41:28PM +0100, Jakob Bohm wrote: > >Any ideas what i could be doing wrong? > > Make sure the intermediary is not included in the "CA storage" > (hashed or single file) used by the client. Anything in that > storage is considered valid and not checked for revocation or > validity. This is changing in OpenSSL 1.1.0, and may yet change in a future OpenSSL 1.0.2 update. Only the trust-anchor (top-most certificate from the trust-store) is not checked for expiration or revocation in OpenSSL 1.1.0. Intermediate certificates are checked, whether they are from the trust-store, or acquired from the peer. To get previous behaviour, one needs to set the X509_V_FLAG_PARTIAL_CHAIN flag so that the first certificate found in the trust store becomes the trust-anchor, and chain construction stops there. Another way (in OpenSSL 1.1.0) to get an intermediate certificate to terminate the chain is to decorate it with explicit auxiliary trust EKUs via the "-trustout" and "-addtrust" options of "openssl x509", and then add the decorated certificate to the trust store. -- Viktor.
