[openssl-users] cert chain file ordering question
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Jan 9 23:36:26 UTC 2018
> On Jan 9, 2018, at 5:55 PM, Norm Green <norm.green at gemtalksystems.com> wrote:
>
> Same result. The only way it seems to work is if the leaf cert appears at the end of the file.
You're badly mistaken. *ONLY* the first certificate in the file is verified.
When you put the leaf cert at the end, you're *ONLY* verifying the top-most
issuer CA certificate.
The correct way to verify a chain is to put the root CA in a CAfile,
intermediate CAs in an "untrusted" chain file, and the leaf cert all
by itself in a separate file. As explained upstream. If that's not
working, then perhaps your chain is actually incomplete or otherwise
does not satisfy all the requirements.
--
Viktor.
More information about the openssl-users
mailing list