On Wed, Nov 10, 2004, Reimer Karlsen, DFN-CERT wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Hi, > > I have a question regarding cert path validation like it is done by the > openssl suite. > > I read 'man verify' and 'man s_server' but to me it is still unclear if the > CA certificates of *intermediate* CAs must be either in the file specified > by -CAfile or in in the directory (with symlink hash) specified by -CApath > if openssl wants to successfully validate a presented end-entity > certificate. > > I know that the root certificates must be present at one or the other of > these locations though. But how about the intermediates? > > I assume the intermediate CA certs must be available if the end-entity does > not send at least a long enough suffix of the certificate chain - long > enough to connect to a CA cert installed in either -CAfile or -CApath with > a complete cert chain prefix leading to an installed root. > > [With the start of the cert chain prefix being the root cert and the end of > the cert chain suffix being the end-entity cert.] > > Right? >
In many protocols (including SSL/TLS and S/MIME) a set of intermediate certificates is supplied by the peer along with the EE certificate. If this chain contains sufficient intermediate certificates then only the root needs to be included in the trusted store otherwise any certificates missing from the path to the roo need to be included. In SSL/TLS the standards require the including of the whole chain (with the root CA being optional) so any peer that doesn't do this is broken/misconfigured. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
