The certificates are attached below. The use case is client A only has ta_primary_cert.pem and client B only has ta_secondary_cert.pem I’m trying to build a chain that the server can use (in the server hello) so that both client A and client B can successfully connect. Since openssl verify -trusted ta_secondary_cert.pem -untrusted cross_ca_cert.pem server_cert.pem works, I not sure why adding the other untrusted ca certificate would cause verification to fail - there is still a valid path from the leaf to a trusted root. $ openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) $ openssl verify -trusted ta_primary_cert.pem -untrusted ca_cert.pem server_cert.pem server_cert.pem: OK $ openssl verify -trusted ta_secondary_cert.pem -untrusted cross_ca_cert.pem server_cert.pem server_cert.pem: OK $ openssl verify -trusted ta_secondary_cert.pem -untrusted ca_cert.pem -untrusted cross_ca_cert.pem server_cert.pem C = GB, O = Acme, L = London, CN = Intermediate CA error 20 at 1 depth lookup: unable to get local issuer certificate error server_cert.pem: verification failed $ openssl verify -trusted ta_secondary_cert.pem -untrusted cross_ca_cert.pem -untrusted ca_cert.pem server_cert.pem server_cert.pem: OK |
Attachment:
ca_cert.pem
Description: application/x509-ca-cert
Attachment:
cross_ca_cert.pem
Description: application/x509-ca-cert
Attachment:
server_cert.pem
Description: application/x509-ca-cert
Attachment:
ta_primary_cert.pem
Description: application/x509-ca-cert
Attachment:
ta_secondary_cert.pem
Description: application/x509-ca-cert
|
