>From what I understand, you need the trust anchors certificate( eg Verisign ) so that you can check the server's certificate against the probably self-signed Verisign certificate. It is supposed that you have already have the certificates of CAs you trust. If your question is how to find online a specific certificate, the simple answer is that you usually can't.
----- Original Message ---- From: AlokBhatnagar <[EMAIL PROTECTED]> To: openssl-users@openssl.org Sent: Friday, June 20, 2008 4:02:15 PM Subject: Re: Server Authentication Thanks david, I know that the domain name should be same as the common name in server certificate which is sent by the server to the client. As I know, The SSL client verifies the server's certificate against the CA certificate loaded in the client. Suppose i trust Verisign CA. So my client must have Verisign CA Certificate in order to verify the server's certificate. So i want to ask, how will i get the CA certificate or list of CA certificates that i trust? Thanks Regards Alok Bhatnagar ----- Original Message ----- From: "David Schwartz" <[EMAIL PROTECTED]> To: <openssl-users@openssl.org> Sent: Friday, June 20, 2008 6:03 PM Subject: RE: Server Authentication > > > So i want to know how will my client authenticate the server > > since i don't have the server's root certificate? > > > Thanks in Advance.. > > > Regards > > Alok Bhatnagar > > That is completely application-dependent. The answer will depend on what > makes the legitimate server different from an imposter. > > Your question is basically, "how can I detect an impostor?". And the answer > is "as opposed to what?". For example, if the question is, "how can I tell > the real amazon.com from an impostor who doesn't control that domain?" the > answer is to see if the server presents a certificate with 'amazon.com' in > the common name that is signed by a CA you trust. > > If you don't know what CAs you trust, then you have a problem. > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
