[openssl-users] Certificate chain validation

Lei Kong leikong at msn.com
Fri Apr 21 21:15:28 UTC 2017


According to https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html, openssl will search the default locations for chain building:


“If no chain is specified, the library will try to complete the chain from the available CA certificates in the trusted CA storage, see SSL_CTX_load_verify_locations<https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_load_verify_locations.html>.”


From: Lei Kong<mailto:leikong at msn.com>
Sent: Friday, April 21, 2017 2:10 PM
To: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Subject: RE: [openssl-users] Certificate chain validation

Right on!
I think it is indeed an issue of partial chain on the loading side.

As a related question, on the loading side, do I need to provide the whole chain to SSL_CTX_use_certificate?
If intermediate CA certificate is installed into default locations like /ets/ssl/certs, and only end certificate is passed to SSL_CTX_use_certificate, will openssl search the default locations to build a complete chain before sending it to the remote side?

Thanks.

From: Jakob Bohm<mailto:jb-openssl at wisemo.com>
Sent: Friday, April 21, 2017 5:10 AM
To: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Subject: Re: [openssl-users] Certificate chain validation

On 21/04/2017 03:37, Lei Kong wrote:
>
> When validating a certificate issued by an intermediate certificate
> authority, I noticed that I need to install both the root and the
> intermediate CA certificate locally (with update-ca-certificates on
> ubuntu 16.04). Verification fails if only root CA cert is installed
> (intermediate is not installed), is this expected behavior? Why do I
> need to install intermediate CA cert locally? Locally installed root
> CA cert is not enough to validate intermediate CA cert?
>
This is only necessary if the other end of the connection
(incorrectly) forgets to include the intermediate in the
certificate bundle sent with the data or protocol exchange.

> Is it possible to make chain validation work with only root CA cert
> installed locally?
>
Yes, if the other end is not misconfigured and you pass the
received certificate bundle to the appropriate validation
related function as a list of untrusted additional certificates,
which the certificate verification code can search for needed
intermediate certificates.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170421/a9c03e52/attachment.html>


More information about the openssl-users mailing list