> On Aug 9, 2016, at 2:52 PM, Salz, Rich via RT <r...@openssl.org> wrote: > > As Viktor pointed out, this doesn't work in 1.0.1
The story is a bit more complicated. What's really going on is that root (self-signed) CAs in the trust store are backwards-compatible implicit trust-anchors for all purposes. Intermediate certificates require auxiliary trust settings in the trust store to specify any purposes for which they are trusted or rejected as trust-anchors. Trusted certificates can be created via the "-addtrust" option of "openssl x509". I've not checked 1.0.1, but explicitly trusted intermediates are likely to work with 1.0.1 if decorated as trusted via: openssl x509 -in cert.pem -trustout -addtrust serverAuth -out trusted.pem or: openssl x509 -in cert.pem -trustout -addtrust anyExtendedKeyUsage -out trusted.pem or similar. -- Viktor. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev