Unable to trust leaf Certificate

Fri, 02 Aug 2013 17:35:52 -0700 

Hello,
We have a server where its ServerCert is signed by an intermediateCA, which is signed by a RootCA. Currently, OpenSSL seems to require RootCA cert to be installed (in the certs dir) in order to connect to the server. We would like a feature where the leaf certificate (ServerCert) can be trusted if that particular cert is in the certs dir. 


Jordan Brown was in contact with Steve H. to find out that there is an 
experimental X509_V_FLAG_PARTIAL_CHAIN flag support in 1.0.2.
We tried our experiment with 1.0.2 and X509_V_FLAG_PARTIAL_CHAIN.   That 
helped some but does not seem to have addressed the need.


I need some help understanding what's going on to resolve this issue.
Here is my findings:

Test 1: openssl verify  -partial_chain ServerCert.pem


    - This is successful if the intermediate cert is installed: This 
is  good.

      - Without "-partial_chain", 'openssl verify' fails even if the
        intermediate cert is installed.

      - openssl stat()s for intermediate cert (success) and RootCA cert 
(fail)

      - check_trust() returns TRUSTED as last_untrusted(=1) is less than
        sk_X509_num(=2)

    - This fails if only the ServerCert is installed.
      - OpenSSL stats for the intermediateCA (fail) only.
      - check_trust() returns UNTRUSTED as last_untrusted(=1) is not less
        than sk_X509_num(=1)
      - We would like this case to be successful.


Test2: openssl s_client -connect lc-sfbay-02:636 -partial_chain -CApath 
/etc/openssl/certs


    - This is successful if RootCA certificate is installed
      - openssl stat()s for RootCA cert (success)

    - This fails if RootCA is not installed even if ServerCert and/or
      intermediateCA is installed
      - openssl stat()s for RootCA cert (fail) only
      - check_trust() returns UNTRUSTED as last_untrusted(=2) is not less
        than sk_X509_num(=2)
      - We would like this case to succeed.


Can I get some help figuring out what needs to be changed so that the 
leaf certificate (ServerCert) can be trusted?


Thank you

-- misaki
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]






















					Reply via email to