Hello group, I have a question regarding the verify method of OpenSSL: If I have a certificate chain
Root -> A -> B -> Leaf where "Leaf" is the certificate of a webserver (https) and Root is a self-signed certificate. In this scenario, is it valid for the webserver to provide only A/B/Leaf and omit "Root" during the SSL handshake? I'm seeing strange errors and noticed that a webserver of ours is configured in that manner (and it seems odd to me). Also, when I have certificates A + B and do: $ openssl verify -CApath /sys -CAfile certA.crt certB.crt certB.crt: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 error 2 at 1 depth lookup:unable to get issuer certificate (I'm only using /sys to make openssl not pull in /etc/ssl/certs) The verify fails. Why is that? The immediate signature is valid, does the "verify" command expect to always terminate at a self-signed certificate? Or, in other words: Let's assume I have a ultimate root (self-signed) "Root" and a branched CA "X". I would like to trust "X" and all it's children, but not "Root". Is this not possible? Best regards, Johannes ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
