Greetings All,
I was studying the certs I'd created and (unless I've missed
something) I've realized that there is actually nothing in a
certificate that tells anyone exactly where to go to get the issuer's
certificate (i.e. walk the chain). Here's lines from one of my certs
that could even possibly provide any info in that regard:
**********************************************************************
*
Certificate:
Data:
Issuer: C=US, ST=California, L=Camarillo, O=GCIC, \
CN=GCIC Trusted Authority/[EMAIL PROTECTED]
Subject: C=US, ST=California, O=GCIC, \
CN=www.gcic.org/[EMAIL PROTECTED]
X509v3 extensions:
X509v3 Subject Key Identifier:
C2:0A:40:AB:40:3E:63:85:E0:E8:7D:94:EF:49:F2:AD:5C:8E:2F:97
X509v3 Authority Key Identifier:
DirName:/C=US/ST=California/L=Camarillo/O=GCIC/ \
CN=GCIC Trusted
Authority/[EMAIL PROTECTED]
serial:00
**********************************************************************
*
So I suppose that points out why the entire chain is presented to the
remote verifier, since without the server supplying all certificates
in the chain, the verifier has no way to know where to go "fetch" the
chain from. Am I right?
Also, in my server's directory under /certs, there are the
certificates that I've issued, and the symbolic hashed links to each
(i.e. the XXXXXXXX.0 links). Could someone please explain again, just
what data from the cert is being hashed to create the file name? Is it
the Issuer's CN, Subject's CN or the DirName's CN that the hash is
created from? Or is it the entire contents?
Thanks for your help!
I've learned quite a bit already from reading the emails from this
list (even though I only understand about 1/3 of the discussions right
now), but keep em coming :)
Best,
Dann
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
