Right on! I think it is indeed an issue of partial chain on the loading side.
As a related question, on the loading side, do I need to provide the whole chain to SSL_CTX_use_certificate? If intermediate CA certificate is installed into default locations like /ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, will openssl search the default locations to build a complete chain before sending it to the remote side? Thanks. From: Jakob Bohm<mailto:jb-open...@wisemo.com> Sent: Friday, April 21, 2017 5:10 AM To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: Re: [openssl-users] Certificate chain validation On 21/04/2017 03:37, Lei Kong wrote: > > When validating a certificate issued by an intermediate certificate > authority, I noticed that I need to install both the root and the > intermediate CA certificate locally (with update-ca-certificates on > ubuntu 16.04). Verification fails if only root CA cert is installed > (intermediate is not installed), is this expected behavior? Why do I > need to install intermediate CA cert locally? Locally installed root > CA cert is not enough to validate intermediate CA cert? > This is only necessary if the other end of the connection (incorrectly) forgets to include the intermediate in the certificate bundle sent with the data or protocol exchange. > Is it possible to make chain validation work with only root CA cert > installed locally? > Yes, if the other end is not misconfigured and you pass the received certificate bundle to the appropriate validation related function as a list of untrusted additional certificates, which the certificate verification code can search for needed intermediate certificates. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users