[openssl-users] Complete CA chain is not getting delivered.
Deka, Sanjeeb
skumarde at akamai.com
Wed Jul 27 13:39:52 UTC 2016
Hi,
We needed your input for the following.
We have three different files for the secrets to be used to support SSL.
• File1(x.certificate) --> It contains the certificate of the Server.
----BEGIN CERTIFICATE----
Base-64 encoded data for server’s certificate
----END CERTIFICATE----
• File2(y.private_key) --> It contains the private key of the Server.
• File3(z.chain_cert) --> It contains the CA certificate chain(starting with the certificate of the immediate issuer and ending with the certificate of the Root CA).
----BEGIN CERTIFICATE----
Encoded data for certificate of Issuer of server’s certificate
----END CERTIFICATE----
----BEGIN CERTIFICATE----
Encoded data for certificate of Root CA
----END CERTIFICATE----
• Created complete certificate chain(a.chains) from x.certificate and z.chain_cert; created starting with content from x.certificate and followed by content
from z.chain_cert.
----BEGIN CERTIFICATE----
Encoded data for server’s certificate
----END CERTIFICATE----
----BEGIN CERTIFICATE----
Encoded data for certificate of Issuer of server’s certificate
----END CERTIFICATE----
----BEGIN CERTIFICATE----
Encoded data for certificate of Root CA
----END CERTIFICATE----
• We used SSL_CTX_use_certificate_file() to load the Server’s certificate(ie. x.certificate) and SSL_CTX_use_certificate_chain_file() to load the complete
certificate chain(a.chains)
With this approach, when we connect to the server, the server was not delivering the complete certificate chain in the CERTIFICATE message of the SSL Handshake.
We could only see certificates of Server followed by certificate of the Root CA; certificate of the intermediate CA was missing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160727/e468512a/attachment-0001.html>
More information about the openssl-users
mailing list