On Wed, Nov 10, 2010, Dimitrios Siganos wrote: > Hi, > > Is there a way to instruct openssl to treat an intermediate CA as a > trusted CA, which need not have its issuer checked i.e. it will be the > last certificate of the certificate chain. > > It seems that openssl insists on always terminating a chain at a > self-signed certificate. However, in this case, we want to limit > ourselves in a sub-tree of the CA and not expose ourselves to other > branches of the hierarchy that are not relevant to us. We have no > control over the generation of the certificates and we can't solve the > problem by restructuring or recreating the CA hierarchy. > > To make things easier I will demonstrate with an example. Lets define 3 > certificates A, B, and C. > > A is a self-signed root CA (root ca) > B is a sub CA signed by A. (intermediate ca) > C is a server certificate signed by B. (server certificate) > > A -> B -> C > > We would like to treat B as the end of the chain and never install A > anywhere. As far as our setup is concerned, B is the root CA, it just > happens to not be self-signed. > > We want to be able to connect a client, which trusts 'B', to a server > that only has 'C'. 'A' should not enter the picture at all. > > What is the correct way to achieve this with openssl? >
There is an EXPERIMENTAL change in the verify algorithm present in the unstable branch of OpenSSL only. In that if you change the trust settings of an intermediate certificate (see x509 utility) and the chain cannot be completed it will still be regarded as successful. The main change is: http://cvs.openssl.org/chngview?cn=19322 This could be backported to 1.0.x at some point once it has been tested more. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
