[EMAIL PROTECTED] wrote:
>
> All,
>
> I would like to get OpenSSL to trust a CA which doesn't have a root cert,
> basically an intermediate CA..
> With a browser you can define a list of intermediate trusted CA so that you
> don't need the root cert which signed the intermediate cert.. I would like
> to do the same with OpenSSL.
>
> I use openssl in my client, and my server is using a chain cert. However I
> don't want to have to accept chain certs, so I would like to be able to
> accept the cert based on the trust of the intermediate CA.
>
> I have tried to add it in the root certs lists, but it didn't work, Openssl
> is rejecting it saying Invalid CA cert.
>
> Is there any way to get OpenSSL to accept the intermediate cert as a CA?
>
Well if it is rejecting the intermediate CA then either it is an invalid
CA (extensions incorrect) or you've hit the server extended key usage
bug (which is fixed in the development version of OpenSSL).
Currently you have to trust the root CA. Trust of CAs other than the
root is not recognized though this will be added at some later date.
It is possible to replace the verify callback that is used for SSL and
it can do whatever you want, though you then have to write your own
verify code.
Hmmm now I think of it an alternative is to disable chain verify and
include the whole chain (minus end user cert) in the trusted store. That
isn't supported at present but it isn't too difficult to add.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
