On Sun, Jul 02, 2006, snacktime wrote: > On 7/2/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > >On Sun, Jul 02, 2006, snacktime wrote: > > > >> Oops, you will also need this cert in the ca chain. The client cert > >> that does verify was issued by this cert, which was issued by the > >> root. The one I gave you that does not verify was issued by the root > >> ca directly. > >> > >> > > > >That's your problem then. OpenSSL needs to find the intermediate CA. This > >can > >be either sent by the other party or explicitly on the command line. > > > >So in the example with "openssl verify" you can include: > > > >-untrusted intca.pem > > > >and it should work. Similarly if you have a webserver the SSL client (e.g > >firefox) needs to be able to see the intermediate CA. You do this by either > >including the CA in you list of trusted CAs or specify it manually as an > >"additional certificate". > > The certificate I sent that doesn't verify doesn't need the > intermediate cert, it was issued by the root cert. The other client > certificate that does verify was signed by the intermediate. > It's not simply a matter of trying to verify against the wrong ca, or > not having them in the browser, it's something else. >
The intermediate CA does not need to be loaded in the browser. However the server does need to *send* the intermediate CA to the browser so it can use it to verify the chain. In the case of certificates signed by the root CA directly the browser can verify the chain using just the root CA which is installed and trusted. > One strange thing with firefox. The certificate that does not verify > will show up in firefox under 'My Certificates' under the correct CA. > But when you view it, it say's the issuer is unknown and in the > hierarchy it just shows itself. In IE everything is fine. Also, > when I create a new CA with my software, the certs I sign with it > verify ok. It's only certs signed by the ca I created a couple of > years ago that won't verify. So, there is something in the new certs > I am creating that isn't compatible with the old ca certs. > If you are getting odd behaviour there are a couple of possibilities. If the certificate database is corrupted that could cause this. Another possibility is that the issuer name and serial number is identical for two distinct certificates: that is a violation of the standards. MSIE can tolerate such a violation but Firefox will not. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
