The only certificates that must be sent are the server identification
and the certs up to (but not including) the trust anchor. (Since the
client already has the trust anchor, it will verify against its local
copy of the root CA, not the copy of the root CA that came from the
connection.)
Hi,
This question might be slightly silly and out of place but this
conversation brought it up to me. I don't remember seeing the answer...
Is it possible to send several chains, each rooted by a different CA ?
And then let the client determine if he trusts one of those CAs.
Cheers,
-
Actually, there's a paper that was pointed out to me not too long ago
(by Philipp Gühring of CAcert.org) -- it /should/ be possible, however
there's a severe lack of support in the current implementations.
http://www.dfn-pca.de/bibliothek/reports/pki-linking/report-linking-final-1.0.2.pdf
I'm trying to get a client to verify a server certificate signed by a sub-CA
when the client has only the root CA certificate.
I'm using TinyCA (GUI wrapper around OpenSSL) as the CA. Here's what I've
done:
1. Created a root CA (CN=root.ca.linnet.org)
2. Created a sub CA under this
On Mon, Feb 27, 2006, Brian Candler wrote:
I'm trying to get a client to verify a server certificate signed by a sub-CA
when the client has only the root CA certificate.
I'm using TinyCA (GUI wrapper around OpenSSL) as the CA. Here's what I've
done:
1. Created a root CA
On Mon, Feb 27, 2006 at 01:41:33PM +0100, Dr. Stephen Henson wrote:
Since you didn't include the root CA it isn't possible to say why it isn't
excluded.
I notice the small serial numbers in the certificates and some invalid
extensions in there. I'd suggest using the CA.pl script (if you use
On Mon, Feb 27, 2006, Brian Candler wrote:
On Mon, Feb 27, 2006 at 01:41:33PM +0100, Dr. Stephen Henson wrote:
Since you didn't include the root CA it isn't possible to say why it isn't
excluded.
I notice the small serial numbers in the certificates and some invalid
extensions in
On Mon, Feb 27, 2006 at 08:05:59PM +0100, Dr. Stephen Henson wrote:
On Mon, Feb 27, 2006, Brian Candler wrote:
On Mon, Feb 27, 2006 at 01:41:33PM +0100, Dr. Stephen Henson wrote:
Since you didn't include the root CA it isn't possible to say why it isn't
excluded.
I notice the
On Mon, Feb 27, 2006 at 07:36:16PM +, Brian Candler wrote:
Ah. I had just used -cert ../server.example.com-cert.pem (where this file
contains all the certificates). So now I've added -CAfile as well, pointing
to the same file:
#!/bin/sh
cd content
openssl s_server -cert