On Thu January 12 2012, Johannes Bauer wrote: > Hello group, > > I have a question regarding the verify method of OpenSSL: If I have a > certificate chain > > Root -> A -> B -> Leaf > > where "Leaf" is the certificate of a webserver (https) and Root is a > self-signed certificate. > > In this scenario, is it valid for the webserver to provide only A/B/Leaf > and omit "Root" during the SSL handshake? I'm seeing strange errors and > noticed that a webserver of ours is configured in that manner (and it > seems odd to me). >
It is a "third party" verification system that is used. How could you trust the server to tell you itself who it is? Thus, the need for obtaining the root certificate some way other than having it sent by the server in question. And yes, 'root' certificates are self-signed, signed by an 'independent' third party in the business of being trusted for that purpose. Which in this post, the 'trusted third party' seems to be your own network admin (which may be yourself ;-) ) Mike > Also, when I have certificates A + B and do: > > $ openssl verify -CApath /sys -CAfile certA.crt certB.crt > certB.crt: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 > VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public > Primary Certification Authority - G5 > error 2 at 1 depth lookup:unable to get issuer certificate > > (I'm only using /sys to make openssl not pull in /etc/ssl/certs) > > The verify fails. Why is that? The immediate signature is valid, does > the "verify" command expect to always terminate at a self-signed > certificate? > > Or, in other words: Let's assume I have a ultimate root (self-signed) > "Root" and a branched CA "X". I would like to trust "X" and all it's > children, but not "Root". Is this not possible? > > Best regards, > Johannes > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
