On Mon, Feb 27, 2006 at 08:05:59PM +0100, Dr. Stephen Henson wrote:
> On Mon, Feb 27, 2006, Brian Candler wrote:
>
> > On Mon, Feb 27, 2006 at 01:41:33PM +0100, Dr. Stephen Henson wrote:
> > > Since you didn't include the root CA it isn't possible to say why it isn't
> > > excluded.
> > >
> > > I notice the small serial numbers in the certificates and some invalid
> > > extensions in there. I'd suggest using the CA.pl script (if you use
> > > OpenSSL
> > > 0.9.8 get it from a recent snapshot: the included one is buggy) instead.
> >
> > The root certificate is attached below. I also tried appending this to my
> > server.example.com-cert.pem (so there were three certificates in all), but
> > that didn't make a difference.
> >
>
> Have you tried placing the sub CA in /etc/ssl/certs and running c_rehash on
> that directory?
I hadn't, because I thought that would invalidate what I'm trying to do.
Clearly, if I distribute the sub-CA's certificate to all the clients, then
they will be able to validate it anyway.
But I hadn't thought that perhaps the *server* side still needs to be able
to pick up those certificates from there...
[Test]
Yep, if I do that, the server does indeed hand out the chain.
> > Is it correct of me simply to concatenate the server certificate together
> > with the sub-CA certificate and the root certificate? Or should TinyCA have
> > created a certificate which incorporates the whole chain itself? Or does the
> > application use some other mechanism to assemble the chain from the
> > constituent certificates? I'm afraid I'm not sufficiently PKCS#7-savvy to
> > know what a real certificate at the bottom of a chain should look like.
> >
>
> It needs to have the whole chain visible somehow. Placing the subCA and root
> CA in the trusted directory is one way. Concatenating them into a single file
> and pointing to that using -CAfile is another.
Ah. I had just used -cert ../server.example.com-cert.pem (where this file
contains all the certificates). So now I've added -CAfile as well, pointing
to the same file:
#!/bin/sh
cd content
openssl s_server -cert ../server.example.com-cert.pem \
-CAfile ../server.example.com-cert.pem \
-key ../server.example.com-key.pem \
-WWW
And it works. I've removed the sub-CA certificate and its symlink from
/etc/ssl/certs, but the client can still verify the chain:
$ openssl s_client -connect localhost:4433 -showcerts -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=2 /C=GB/L=London/O=Candler Insecure Certificate
Authority/CN=root.ca.linnet.org/[EMAIL PROTECTED]
verify return:1
depth=1 /C=GB/L=London/O=Candler Insecure Certificate
Authority/CN=sub.ca.linnet.org/[EMAIL PROTECTED]
verify return:1
depth=0 /C=GB/L=London/O=Test server certificate/CN=server.example.com
verify return:1
---
Certificate chain
0 s:/C=GB/L=London/O=Test server certificate/CN=server.example.com
i:/C=GB/L=London/O=Candler Insecure Certificate
Authority/CN=sub.ca.linnet.org/[EMAIL PROTECTED]
...
1 s:/C=GB/L=London/O=Candler Insecure Certificate
Authority/CN=sub.ca.linnet.org/[EMAIL PROTECTED]
i:/C=GB/L=London/O=Candler Insecure Certificate
Authority/CN=root.ca.linnet.org/[EMAIL PROTECTED]
...
2 s:/C=GB/L=London/O=Candler Insecure Certificate
Authority/CN=root.ca.linnet.org/[EMAIL PROTECTED]
i:/C=GB/L=London/O=Candler Insecure Certificate
Authority/CN=root.ca.linnet.org/[EMAIL PROTECTED]
...
Verify return code: 0 (ok)
That's great. Many thanks for pointing me in the right direction on this
one.
Regards,
Brian.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
