On 03/29/2011 01:16 PM, David Coulson wrote:
On 3/29/11 12:58 PM, Bruce Stephens wrote:
Add the -showcerts option to the s_client commands and you'll see the
first server returns a chain of certificates where the second offers
only the end server certificate.
Okay, I see that - Makes sense. When I hit the hostname w/ Firefox I'm
able to see a complete certificate chain. Where does it get that
information from?
David:
Firefox caches that information, so that it can use them later if you
view a similar certificate hierarchy.
If you view the Firefox Certificate Manager you should see "Software
Security Device" vs. that of "Built in Object" next to each of the
certificates in question outside of the Entrust Root CA, which should
say 'Built In...'.
Bruce:
You don't even need to use the 'showcerts' flag for 's_client' because
as one can see by looking at the digits in the right most column, which
is the certificate depth. Depth 0 is always the end entity/device
certificate and everything else may be a part of the hierarchy.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org