Certificate verification with cross signed CAs
James
openssl-users at natsuki.co.uk
Tue Jul 2 09:25:15 UTC 2024
The certificates are attached below.
The use case is client A only has ta_primary_cert.pem and client B only has ta_secondary_cert.pem
I’m trying to build a chain that the server can use (in the server hello) so that both client A and client B can successfully connect.
Since openssl verify -trusted ta_secondary_cert.pem -untrusted cross_ca_cert.pem server_cert.pem works, I not sure why adding the other untrusted ca certificate would cause verification to fail - there is still a valid path from the leaf to a trusted root.
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
$ openssl verify -trusted ta_primary_cert.pem -untrusted ca_cert.pem server_cert.pem
server_cert.pem: OK
$ openssl verify -trusted ta_secondary_cert.pem -untrusted cross_ca_cert.pem server_cert.pem
server_cert.pem: OK
$ openssl verify -trusted ta_secondary_cert.pem -untrusted ca_cert.pem -untrusted cross_ca_cert.pem server_cert.pem
C = GB, O = Acme, L = London, CN = Intermediate CA
error 20 at 1 depth lookup: unable to get local issuer certificate
error server_cert.pem: verification failed
$ openssl verify -trusted ta_secondary_cert.pem -untrusted cross_ca_cert.pem -untrusted ca_cert.pem server_cert.pem
server_cert.pem: OK
> On 2 Jul 2024, at 01:55, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>
> Please post the actual certificates in question. Verification should
> succeed regardless of which of "ca" or "alt_ca" is listed first,
> *provided* both roots are trusted, your mistake is specifying only one
> root, with both intermediate issuers.
>
> If the CAs are internal CAs you control, the CA could issue certificates
> containing an authority key identifier (AKID) which specifies the the
> CA's issuer DN (the root CA subject). This would ensure that the right
> issuer is chosen. In practice, you'd still want to trust both roots.
>
> --
> Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0006.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ca_cert.pem
Type: application/x-x509-ca-cert
Size: 879 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0005.crt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0007.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cross_ca_cert.pem
Type: application/x-x509-ca-cert
Size: 887 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0006.crt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0008.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server_cert.pem
Type: application/x-x509-ca-cert
Size: 786 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0007.crt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0009.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ta_primary_cert.pem
Type: application/x-x509-ca-cert
Size: 883 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0008.crt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0010.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ta_secondary_cert.pem
Type: application/x-x509-ca-cert
Size: 895 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0009.crt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240702/1ebcfff8/attachment-0011.htm>
More information about the openssl-users
mailing list