On Fri, Aug 02, 2013, Misaki.Miyashita wrote: > Hello, > > We have a server where its ServerCert is signed by an > intermediateCA, which is signed by a RootCA. > Currently, OpenSSL seems to require RootCA cert to be installed (in > the certs dir) in order to connect to the server. > We would like a feature where the leaf certificate (ServerCert) can > be trusted if that particular cert is in the certs dir. > > Jordan Brown was in contact with Steve H. to find out that there is > an experimental X509_V_FLAG_PARTIAL_CHAIN flag support in 1.0.2. > We tried our experiment with 1.0.2 and X509_V_FLAG_PARTIAL_CHAIN. > That helped some but does not seem to have addressed the need. > > I need some help understanding what's going on to resolve this issue. > Here is my findings: > > Test 1: openssl verify -partial_chain ServerCert.pem > > - This is successful if the intermediate cert is installed: This > is good. > - Without "-partial_chain", 'openssl verify' fails even if the > intermediate cert is installed. > - openssl stat()s for intermediate cert (success) and RootCA > cert (fail) > - check_trust() returns TRUSTED as last_untrusted(=1) is less than > sk_X509_num(=2) > > - This fails if only the ServerCert is installed. > - OpenSSL stats for the intermediateCA (fail) only. > - check_trust() returns UNTRUSTED as last_untrusted(=1) is not less > than sk_X509_num(=1) > - We would like this case to be successful. > > Test2: openssl s_client -connect lc-sfbay-02:636 -partial_chain > -CApath /etc/openssl/certs > > - This is successful if RootCA certificate is installed > - openssl stat()s for RootCA cert (success) > > - This fails if RootCA is not installed even if ServerCert and/or > intermediateCA is installed > - openssl stat()s for RootCA cert (fail) only > - check_trust() returns UNTRUSTED as last_untrusted(=2) is not less > than sk_X509_num(=2) > - We would like this case to succeed. > > Can I get some help figuring out what needs to be changed so that > the leaf certificate (ServerCert) can be trusted? >
This works fine for me and the test certificate apps/server.pem . I'm not sure what the problem is unless you didn't call c_rehash or equivalent after you intalled the server certificate. Try using the -CAfile option too. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
