On Sat, Jul 16, 2022 at 08:45:22AM +0200, David von Oheimb wrote:
> To me the below warnings looks strange because usually at depth 0 and 1
> of a cert chain (i.e., at the positions of the end entity cert and any
> subsequent intermediate cert) it is normal to have untrusted certs.
> Usually only at the end of the chain you have a trusted cert that
> represents the trust anchor for the chain.
The certificate in question appears to be issued by a private CA, so the
immediate issuer may well be the trust-anchor. That said, yes, there is
not enough information in the OP's message to determine even whether
there is a problem, or what it might be.
> > I have freeradius server configured to use EAP-TLS (certificate
> > baset authn) Since some time I have warning in logs:
> >
> > --8<---------------cut here---------------start------------->8---
> > Fri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with
> > depth [1] subject name
> > /C=PL/ST=Mazowieckie/L=Warszawa/O=beta/OU=wifi/CN=beta-wifi-ca
> > Fri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with
> > depth [0] subject name
> > /C=PL/ST=Mazowieckie/O=beta/OU=wifi/CN=salamandra
> > --8<---------------cut here---------------end--------------->8---
> >
> > I took a look into code and it seems to be related to
> > "X509_STORE_CTX_get0_untrusted(ctx)" function.
That's almost certainlky a red herring. It returns the list of non
helper certificates that are used to build a chain to the root of trust.
These are typically the certificates provided by the peer. Trusted
certificates come from the local trust store (CAfile, CApath, ...).
> > I tried to search, but without success. Can anyone tell me when
> > certificate is "trusted" in this context? (How to get rid this
> > warning) or point to documentation/search keys
A trusted certificate is a typically self-signed CA certificate stored
in a file which is used to hold trusted certificates.
--
VIktor.
