On 21/04/2017 03:37, Lei Kong wrote:
When validating a certificate issued by an intermediate certificate authority, I noticed that I need to install both the root and the intermediate CA certificate locally (with update-ca-certificates on ubuntu 16.04). Verification fails if only root CA cert is installed (intermediate is not installed), is this expected behavior? Why do I need to install intermediate CA cert locally? Locally installed root CA cert is not enough to validate intermediate CA cert?
This is only necessary if the other end of the connection (incorrectly) forgets to include the intermediate in the certificate bundle sent with the data or protocol exchange.
Is it possible to make chain validation work with only root CA cert installed locally?
Yes, if the other end is not misconfigured and you pass the received certificate bundle to the appropriate validation related function as a list of untrusted additional certificates, which the certificate verification code can search for needed intermediate certificates. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
