Somech, The server side is using one .pem file like this: <private key> <the certificate> <intermediate 1> <intermediate 2>
The <intermediate 2> was signed by one root CA available at client side and the two intermediate was supplied by the same root authority. I think that I didn't forgot that. On Tue, May 21, 2013 at 7:29 PM, Somesh Chakrabarti <itsmesom...@gmail.com> wrote: > Jorge, > > On the server, you can copy all the public certs i.e. the intermediates and > the root into one PEM file. That will send everything down to the client. > > Best, > Somesh > > > On Tuesday, May 21, 2013, Jorge Ventura wrote: >> >> I have an application (server) that is working using SSLv23 with a >> regular certificate. Now I have to use one chain of two intermediate >> certificates but for any reason, openssl library is not sending the >> chain and the only way to work correctly is when I inform to the >> client side about the intermediate. >> >> If I am understanding correctly, as long as the client trust in the >> last certificate, it will trust on all intermediate. >> >> Below is a result using the command "openssl s_client ...". >> >> The client has only the Equifax root certificate; all other GeoTrust >> are intermediate. The file cacerts.pem in the command below has the >> two intermediate informed to force the command to succeed but in the >> real case, I don't have such information at client side. >> >> Because the client trust the connection when I inform the >> intermediate, I suppose the server is not sending the intermediate, >> only the first certificate in the chain and in this case the command >> fail. >> >> >> $ openssl s_client -connect 10.10.10.10:443 -verify 5 -state -CAfile >> cacerts.pem >> verify depth is 5 >> SSL_connect:before/connect initialization >> SSL_connect:SSLv2/v3 write client hello A >> SSL_connect:SSLv3 read server hello A >> depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority >> verify return:1 >> depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA >> verify return:1 >> depth=1 /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA >> verify return:1 >> depth=0 >> /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior >> Lake/O=ACME, INC/CN=www.acme.com >> verify return:1 >> SSL_connect:SSLv3 read server certificate A >> SSL_connect:SSLv3 read server done A >> SSL_connect:SSLv3 write client key exchange A >> SSL_connect:SSLv3 write change cipher spec A >> SSL_connect:SSLv3 write finished A >> SSL_connect:SSLv3 flush data >> SSL_connect:SSLv3 read finished A >> CONNECTED(00000003) >> --- >> Certificate chain >> 0 >> s:/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior >> Lake/O=ACME, INC/CN=www.acme.com >> i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> (the server certificate) >> -----END CERTIFICATE----- >> >> subject=/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior >> Lake/O=ACME, INC/CN=www.acme.com >> issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1539 bytes and written 447 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES256-SHA >> Server public key is 2048 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : AES256-SHA >> Session-ID: >> 5FB55650BEEAE091441A5CEF4047A0243EE9D57AE8F0485CC1F951E2E97CAE06 >> Session-ID-ctx: >> Master-Key: >> >> 06B036B9D47B297D2086CB6370108BB60102CD0FD7649F92351E15324D96E8614C566BF9040296177E2BDCA0A189472C >> Key-Arg : None >> Start Time: 1369178367 >> Timeout : 300 (sec) >> Verify return code: 0 (ok) >> --- >> read:errno=0 >> SSL3 alert write:warning:close notify >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
