> On May 31, 2019, at 3:20 PM, Jason Schultz <jetson23@xxxxxxxxxxx> wrote: > > My questions deal with #2: Why does OpenSSL include the root cert in the certificate chain? The OpenSSL SSL_CTX_build_cert_chain(3) function constructs a complete chain of trust for your certificate chain, based on the configured trust stores (CAfile and/or CApath). If you call this function, then you can control how your certificates chain is augmented. But if your EE certificate is the entire chain, then the internal automatic chain construction code will assume that the chain was not built, and will try to augment it unless you set the SSL_MODE_NO_AUTO_CHAIN flag via: SSL_CTX_set_mode(3), or SSL_set_mode(3) [ Which really ought to also document SSL_MODE_NO_AUTO_CHAIN ] > Will the root cert be included in the chain any time it's in the same directory > as the server cert? No, the chain is augmented based on the configured trust stores, and does not directly consider the directory holding the chain file. > Is there a way, via API call, configuration, etc, to force OpenSSL to NOT send the > root certificate as part of the chain in this case? You can set a CAfile/CApath that do not include the location of the root cert, or disable automatic chain construction, and build the chain just the way you like it via SSL_CTX_build_cert_chain(3), possibly passing the SSL_BUILD_CHAIN_FLAG_NO_ROOT flag. -- Viktor.
