Yeah, sure...
As per man page:
-partial_chain
Allow verification to succeed even if a complete chain cannot be
built to a self-signed trust-anchor,
provided it is possible to construct a chain to a trusted
certificate that might not be self-signed.
And you can test it quite easily with the attached generated certs
using:
openssl verify [-partial_chain] \
-CAfile test_CA/intermediate_CA/SSSD_test_intermediate_CA.pem \
test_CA/intermediate_CA/SSSD_test_intermediate_CA_cert_x509_0001.pem
While when using -partial_chain will only match when using
test_CA/intermediate_CA/SSSD_test_intermediate_CA_full_db.pem as CAfile
** Attachment added: "Test CA certificates chain"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+attachment/5481720/+files/test_CA.tar.xz
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1919563
Title:
updated sssd with smart cards now brick systems without full cert
chain
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
