Greetings All, I was studying the certs I'd created and (unless I've missed something) I've realized that there is actually nothing in a certificate that tells anyone exactly where to go to get the issuer's certificate (i.e. walk the chain). Here's lines from one of my certs that could even possibly provide any info in that regard:
********************************************************************** * Certificate: Data: Issuer: C=US, ST=California, L=Camarillo, O=GCIC, \ CN=GCIC Trusted Authority/[EMAIL PROTECTED] Subject: C=US, ST=California, O=GCIC, \ CN=www.gcic.org/[EMAIL PROTECTED] X509v3 extensions: X509v3 Subject Key Identifier: C2:0A:40:AB:40:3E:63:85:E0:E8:7D:94:EF:49:F2:AD:5C:8E:2F:97 X509v3 Authority Key Identifier: DirName:/C=US/ST=California/L=Camarillo/O=GCIC/ \ CN=GCIC Trusted Authority/[EMAIL PROTECTED] serial:00 ********************************************************************** * So I suppose that points out why the entire chain is presented to the remote verifier, since without the server supplying all certificates in the chain, the verifier has no way to know where to go "fetch" the chain from. Am I right? Also, in my server's directory under /certs, there are the certificates that I've issued, and the symbolic hashed links to each (i.e. the XXXXXXXX.0 links). Could someone please explain again, just what data from the cert is being hashed to create the file name? Is it the Issuer's CN, Subject's CN or the DirName's CN that the hash is created from? Or is it the entire contents? Thanks for your help! I've learned quite a bit already from reading the emails from this list (even though I only understand about 1/3 of the discussions right now), but keep em coming :) Best, Dann ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]