cert chain file ordering question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This question is regarding OpenSSL 1.1.

Let's say I have this trust hierarchy:

RootCA
CA1
CA2
CA3
userCert


So userCert is signed by CA3, CA3 is signed by CA2, and so on up to RootCA, which is a self-signed root cert.

If I combine CA1,CA2,CA3 and userCert into single PEM file, chain.pem, the openssl verify command only verifies the chain is correct if the order of the file is such that the user cert occurs *last* in the chain as follows:

CA1
CA2
CA3
userCert

openssl verify -CAfile RootCA.pem chain.pem


What strikes me as odd is the order shown above is the *opposite* of what is needed for the SSL_CTX_user_certificate_chain_file() function, which requires the highest level CA to appear at the end of the file. From the man page:

SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. SSL_use_certificate_chain_file() is similar except it loads the certificate chain into ssl.

Is my understanding of things correct?  Seems like there should be a way for the openssl command to verify a chain file which will be used with the
SSL_CTX_use_certificate_chain_file() function.

Norm Green

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux