> On Aug 9, 2016, at 2:52 PM, Salz, Rich via RT <r...@openssl.org> wrote:
> 
> As Viktor pointed out, this doesn't work in 1.0.1

The story is a bit more complicated.  What's really going on is that
root (self-signed) CAs in the trust store are backwards-compatible
implicit trust-anchors for all purposes.  Intermediate certificates
require auxiliary trust settings in the trust store to specify any
purposes for which they are trusted or rejected as trust-anchors.

Trusted certificates can be created via the "-addtrust" option of
"openssl x509".  I've not checked 1.0.1, but explicitly trusted
intermediates are likely to work with 1.0.1 if decorated as trusted via:

   openssl x509 -in cert.pem -trustout -addtrust serverAuth -out trusted.pem

or:

   openssl x509 -in cert.pem -trustout -addtrust anyExtendedKeyUsage -out 
trusted.pem

or similar.

-- 
        Viktor.


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4644
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to