> On Aug 9, 2016, at 2:52 PM, Salz, Rich via RT <r...@openssl.org> wrote:
>
> As Viktor pointed out, this doesn't work in 1.0.1
The story is a bit more complicated. What's really going on is that
root (self-signed) CAs in the trust store are backwards-compatible
implicit trust-anchors for all purposes. Intermediate certificates
require auxiliary trust settings in the trust store to specify any
purposes for which they are trusted or rejected as trust-anchors.
Trusted certificates can be created via the "-addtrust" option of
"openssl x509". I've not checked 1.0.1, but explicitly trusted
intermediates are likely to work with 1.0.1 if decorated as trusted via:
openssl x509 -in cert.pem -trustout -addtrust serverAuth -out trusted.pem
or:
openssl x509 -in cert.pem -trustout -addtrust anyExtendedKeyUsage -out
trusted.pem
or similar.
--
Viktor.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
