I suppose my question boils down to "How can I validate certificates
from SSL servers that fail to send intermediate certificates?"

There seem to be quite a few such servers out there, including some I
have little choice but to use, and OpenSSL apparently doesn't like to
validate a certificate if the intermediate certificates are not present.

I tried this with OpenBSD's Apache httpd, and I had to install an
intermediate certificate chain file, and use a directive like

SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem

in httpd.conf in order for my certificate to validate with a web
browser in OpenBSD. The default httpd.conf, which is rather verbosely
self-documenting, does not mention this directive.

My research leads me to believe that the tool "c_rehash", which is not
installed by default, will allow me to put intermediate certificates
like this somewhere OpenSSL can use them for validating certificates
from servers that do not present a complete chain all the way to a
certificate directly signed by one of the roots.

Is there an easier or "right" way to do this?  I feel like I must be
doing something wrong when I'm driving myself bananas with all this
technical fussing around just to validate common certificates.

Thanks,

--Justin

Reply via email to