Hello everyone! I have a couple of questions regarding certificate chains that I hope can be answered. The certificate chain goes something like this: root CA -> subordinate CA -> endpoint.
1) Must each endpoint have access to the root CA certificate in order to establish client TLS connections? I would think yes. How else can the client validate the certificate chain presented to it by the server (ie. sub CA cert and signed endpoint cert)? Must all cert chains end in a self-signed root cert? 2) If the subordinate CA is configured to sign certificates and CRLs, shouldn't the X509v3 Key Usage field of the sub CA cert contain certificate sign and CRL sign? Currently the sub CA I am using only has digital signature set, but it has signed a certificate signing request from my endpoint and I was able to obtain a signed CRL as well (Issuer of CRL is subject of sub CA cert). 3) When openssl verifies a certificate against a CRL (X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL flags set in X509_STORE), will it try to find the CA who signed this CRL in the store and verify the key usage for that cert is set to CRL sign? I am currently getting an "unable to get CRL issuer certificate" error and I am trying to determine if it is because I do not have a root CA cert in the store or because the key usage field of the sub CA cert is incorrect. 4) How do I add multiple chained CA certs to the store? Is X509_STORE_add_cert() sufficient? Will all certificates be presented when an incoming TLS connection is established, or only all certs up to and not including the root CA certificate? Any help with these questions would be greatly appreciated. Thanks. Leo Koutikas SMTS Software Engineer IPC Systems, Inc. DISCLAIMER: This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail.E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the risks associated with e-mail messages, you may decide not to use e-mail to communicate with IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
