Re: Certificate chain validation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21/04/2017 03:37, Lei Kong wrote:

When validating a certificate issued by an intermediate certificate authority, I noticed that I need to install both the root and the intermediate CA certificate locally (with update-ca-certificates on ubuntu 16.04). Verification fails if only root CA cert is installed (intermediate is not installed), is this expected behavior? Why do I need to install intermediate CA cert locally? Locally installed root CA cert is not enough to validate intermediate CA cert?

This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

Is it possible to make chain validation work with only root CA cert installed locally?

Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux