Hi, Is there a way to instruct openssl to treat an intermediate CA as a trusted CA, which need not have its issuer checked i.e. it will be the last certificate of the certificate chain.
It seems that openssl insists on always terminating a chain at a self-signed certificate. However, in this case, we want to limit ourselves in a sub-tree of the CA and not expose ourselves to other branches of the hierarchy that are not relevant to us. We have no control over the generation of the certificates and we can't solve the problem by restructuring or recreating the CA hierarchy. To make things easier I will demonstrate with an example. Lets define 3 certificates A, B, and C. A is a self-signed root CA (root ca) B is a sub CA signed by A. (intermediate ca) C is a server certificate signed by B. (server certificate) A -> B -> C We would like to treat B as the end of the chain and never install A anywhere. As far as our setup is concerned, B is the root CA, it just happens to not be self-signed. We want to be able to connect a client, which trusts 'B', to a server that only has 'C'. 'A' should not enter the picture at all. What is the correct way to achieve this with openssl? Thanks, Dimitrios Siganos ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
