i believe as an ssl client you can add intermediate certs to /etc/ssl/cert.pem and they'll be used to validate the endpoint.
if you're an ssl server and your program doesnt let you specify a chain, you can just cat them on the end of the crt. eg, i do something like the following when configuring certs in nginx: root@host /etc/ssl# cat hostname.crt.201208 ca-bundle > hostname.chain.201208 root@host /etc/ssl# ln -s hostname.chain.201208 hostname.crt and then i configure nginx to use the /etc/ssl/hostname.crt symlink to get the full chain. dlg On 08/08/2012, at 6:35 AM, Justin N. Lindberg wrote: > I suppose my question boils down to "How can I validate certificates > from SSL servers that fail to send intermediate certificates?" > > There seem to be quite a few such servers out there, including some I > have little choice but to use, and OpenSSL apparently doesn't like to > validate a certificate if the intermediate certificates are not present. > > I tried this with OpenBSD's Apache httpd, and I had to install an > intermediate certificate chain file, and use a directive like > > SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem > > in httpd.conf in order for my certificate to validate with a web > browser in OpenBSD. The default httpd.conf, which is rather verbosely > self-documenting, does not mention this directive. > > My research leads me to believe that the tool "c_rehash", which is not > installed by default, will allow me to put intermediate certificates > like this somewhere OpenSSL can use them for validating certificates > from servers that do not present a complete chain all the way to a > certificate directly signed by one of the roots. > > Is there an easier or "right" way to do this? I feel like I must be > doing something wrong when I'm driving myself bananas with all this > technical fussing around just to validate common certificates. > > Thanks, > > --Justin
